ORLANDO -- Microsoft will make cybersecurity training mandatory for all its employees and plans to release its internal training tools in a version that customers can use themselves, perhaps within a year.
The disclosure was made during a session led by Ken Sexsmith, director of security training and awareness at Microsoft, at the Ignite conference this week.
Microsoft has invested about $3 billion in security research and development during the past couple of years, and has about 4,000 employees dedicated to security, Sexsmith said.
However, "all of us are accountable for security," he added. "Our employees have to be accountable for the actions they are taking, whether they're developing a new service, an app or infrastructure, they've got to know that they're accountable. It's got to be part of their job."
Microsoft employees are given blue badges that allow them entry to company buildings. The problem is when a worker treats the badge as a shield that says security is someone else's job, said Sexsmith, who also serves as chief of staff to Microsoft's chief information security officer, Bret Arsenault. "We're trying to change the hearts and minds."
The company tries to stress that cybersecurity affects not only workers' jobs but also their personal lives. "Take phishing for example," he said. "Phishing just continues to evolve. We're not getting phishing emails with bad grammar and spelling, or blurred logos from your company. They're more sophisticated. We have a big job ahead of us, and that's where my team comes in."
Ken SexsmithDirector of security training and awareness, Microsoft
Although Microsoft's security training was optional last year, 89,000 of the company's employees took it, he said. Starting in January, the cybersecurity training will become mandatory.
Microsoft cybersecurity training effort follows internal breaches
While the training program is geared toward raising employee awareness of common hacking ploys from attackers and thieves, Microsoft has experienced some high-profile breaches in recent years, including one in 2013 that targeted its internal bug-tracking system.
Earlier this year, a U.K. security researcher avoided jail time after he pled guilty to hacking Microsoft and Nintendo servers. The researcher, Zammis Clark, gained access via an internal user name and password, according to published reports.
User identity is the new security perimeter, Arsenault said in a separate session at Ignite: "Hackers don't break in, they log in."
Beyond the expected components like instructional videos and tests, a crucial aspect of Microsoft's security training strategy is learning reinforcement. That's because humans can forget up to 50% of the new information they hear within an hour, and 70% within 24 hours, Sexsmith said.
Microsoft uses an AI-powered tool developed by Elephants Don't Forget, which is based in London.
"On a given day, following a training you take, we will send you an email that says, 'Hey, you came to training and we want you to answer a couple questions about the content,'" Sexsmith said. If the recipient answers incorrectly, the tool explains the mistake and what the correct answer is.
"As you continue to master your skills … it starts to taper off," he added. "While you're learning, the system is learning as well."
Microsoft is working to make its internal cybersecurity training programs available for use by customers in their own organizations. It could be available within the next year, although details have to be worked out with product development and go-to-market teams. "The point is, we see the value of it, and not every company has the luxury of being able to do what we're doing," Sexsmith said.