This is exactly it. There is no incentive to prioritise security. It is not visible to customers, except in terms of compliance, most likely a check-list approach.
I think it needs a massive cultural shift, but from customers. If customers were willing to evaluate security (consumers cannot, but enterprise can) properly, demand binding assurances, and make buying choices accordingly industry would respond.
Of course MS is too strongly entrenched in the desktop market for this to be completely effective.
When I first left offensive security consulting and joined an internal defensive team, a wise ex-agency person said to me "In product development, the first things to often get axed are security, and performance. They are invisible to the user, until they aren't, and rarely do failures in those areas end a company."
Granted this was prior to ransomware really blowing up, but even that itself is a different threat model that doesn't mean your product has to be good at security.
The purpose of using Microsoft products in an office environment is so that your office can be run with as much personal computer enhancement as you originally realized when you first effectively replaced the traditional office machines or more-labor-intensive tasks with software-powered substitutes.
Which all occurred way before any of the things like "single-sign-on" got popular among those who didn't seem to know any better. The second this appeared it was easily recognized as one of the many consumer/entertainment features that must be disabled across every bit of any serious corporate network.
Also best disabled on any home computer before it is allowed to touch the internet.
There was no forthcoming mitigation, all Microsoft leadership could do was throw up their hands, after all there were unsurmountable reasons why such a threat could not be overcome.
>it required customers to turn off one of Microsoft’s most convenient and popular features:
Like any other office no-brainer:
>the ability to access nearly every program used at work with a single logon.
It’s a market. There’s no demand for security. How often has the average Joe has one of their online accounts hacked or credit card details stolen in 2024?
Obviously the most effective way of incentivizing companies to focus on security is NSA assembling a team to hack important companies, create real harm and accompanying press releases. Ah sorry, I meant Russian hacker news.
I think it needs a massive cultural shift, but from customers. If customers were willing to evaluate security (consumers cannot, but enterprise can) properly, demand binding assurances, and make buying choices accordingly industry would respond.
Of course MS is too strongly entrenched in the desktop market for this to be completely effective.