Skip to content

Current Security Challenges for Businesses

Understanding the threats you defend against

The global events from the start of 2020 have brought unprecedented change to the physical and digital worlds. Cybercrime, however, is a constant. Cybercriminals continue—and sometimes escalate—their activity in times of crisis. Change brings opportunity, for both attackers and defenders. Defending against cybercriminals is a complex, ever-evolving, and never-ending challenge. For security professionals to create successful defence strategies, they need more diverse and timelier insights into the threats they are defending against. 

Cybercrime follows the contemporary issues of the day

The state of cybercrime

The threat environment we face continues to evolve. Cybercriminals are creative, well-resourced, well-organized, and innovative. They move quickly to discover new threat vectors, use new exploits, and respond to new defences. Attackers are opportunistic and will even switch lure themes daily in accordance with news cycles, as seen in cybercriminals’ use of the global COVID-19 pandemic to broadly target consumers, as well as to specifically target hospitals and healthcare providers.


  • Credential phishing
  • Business email compromise
  • Combination of BEC & credential phishing
  • Ransomware
  • Malware

Credential phishing

The cybercriminal attempts to pose as a well-known service in the email template (typically Microsoft and other established enterprise SaaS services). They then try to lure the user into clicking on a link, which, through a series of misdirection's, will present a fake login page to the user. Once a credential has been compromised, it can be used to launch different kill chains to build further persistence inside an organization by using cloud-only APIs and systems, and to move around laterally to steal data, money, or otherwise breach the organization.



Business email compromise

Business email compromise is a type of phishing that specifically targets businesses. It’s characterized by techniques used to pose as someone who the victims will likely take notice of, such as the company CEO, CFO, or the accounts receivable clerk. BEC can also involve a business-to-business transaction. For example, the cybercriminal might fraudulently access a company’s system and then pose as that company to fraudulently request payment from another company.

Combination of BEC & credential phishing

We’re also seeing new attack kill chains that combine the two forms to deliver more sophisticated kill chains. This attack can start with credential phishing. Once an account is compromised, the cybercriminal sets up mailbox “forwarding” rules to monitor for financial transactions. Often these forwarding rules include keywords such as “invoice,” “accounts receivable,” “funds,” “overdue,” “payroll,” or “IBAN” and send all relevant email to a collection email account controlled and monitored by the cybercriminal. The cybercriminal then inserts a victim impersonation email in the middle of a communication to misdirect and steal money or information. While credential phishing and BEC continue to be the dominant variations, we also see attacks on a user’s identity and credential being attempted via password reuse and password spray attacks using legacy email protocols such as IMAP and SMTP.


Historically, cyberattacks were seen as a sophisticated set of actions targeting particular industries, which left the remaining industries believing they were outside the scope of cybercrime, and without context about which cybersecurity threats they should prepare for. Ransomware represents a major shift in this threat landscape, and it’s made cyberattacks a very real and omnipresent danger for everyone. Encrypted and lost files and threatening ransom notes have now become the top-of-mind fear for most executive teams.


For busy security operations centres, keeping up with the volume of alerts and data coming in from various security tools and monitoring platforms can be difficult. This so-called alert fatigue is a huge factor in organizations not being able to respond quickly and accurately enough to security incidents—a factor cybercriminals are acutely aware of.



Nation state threats

Microsoft tracks nation state activities to protect our platforms, our services, and our customers. We use a variety of metrics and sophisticated data integration techniques to better understand targeting, motivations, and customer impact. MSTIC focuses on nation state activities because these tactics, techniques, and procedures are often unique and novel, prompting downstream actors such as cybercriminals and smaller nation states to eventually copy their methods.

When a customer (organization or individual account holder) is targeted or compromised by nation state activities that Microsoft tracks, we deliver a nation state notification (NSN) to the customer. Over the past two years, Microsoft has delivered over 13,000 NSNs. The highest percentage of NSNs represented activity originating in Russia, followed by Iran, China, North Korea, and other countries.


Top 5 targeted geographic regions based on NSNs (July 2019–June 2020)

Security and remote workforce concerns

Security decision makers in the United States perceive their most common remote workforce challenge as remote workers making choices that reduce security. Securing personal devices for remote work and the increase in phishing campaigns and identity fraud are also concerns.

Impact of the COVID-19 pandemic on Zero Trust deployment

By treating every access attempt as if it were originating from an untrusted network, the Zero Trust strategy helps solidify the security of VPNs for working from home. This is precisely the approach needed with today’s remote workforces because they’re coming from untrusted home networks and the VPN architectures used to extend corporate networks are sometimes failing

Insider threats

Organizations face a broad range of risks from insiders

Countless security officers across the world are now asking themselves, “Is my organization effectively prepared to identify and remediate increasing insider risks?” One reason for this question is COVID-19 and the subsequent rapid digital transformation it has forced organizations to undertake. According to a recent survey, the lives of up to 300 million information workers worldwide have been upended, and many are now working remotely with limited resources and increased stress.46 These employees are not only logging into enterprise environments and line-of-business applications but also accessing, editing, and sharing sensitive data.

Stressors that increase insider risks in a remote work environment

In addition, the current environment has significantly increased stressors such as potential job loss or health and safety concerns, which might lead to some employees participating in malicious activities, such as stealing intellectual property. An additional stressor to consider is the impact of the physical isolation and limited social interaction that has resulted from the abrupt shift to a remote workforce.