Skip links

Microsoft cannot keep its own security in order, so what hope for its add-ons customers?

Microsoft has come under fire for charging for security add-ons despite the company’s own patchy record when it comes to vulnerabilities and breaches.

A week rarely goes by without some incident or other involving Microsoft products, be it the infamous Exchange Online raid by a China-linked group or an internal breach that resulted in data being exfiltrated from Microsoft’s email system. However, Microsoft execs remain quick to talk up the company’s security revenues.

Some enterprises might find it galling to be forced to pay for must-have security add-ons on top of their existing subscriptions. Getting core security tools requires a Microsoft 365 E5 subscription or topping up an E3 subscription with compliance add-ons, and even then the company will demand payment for certain tools.

Microsoft 365 E5 (without Teams) currently costs £50.30 (and $54.75 Stateside) per user per month with an annual commitment. E3 (also without Teams) is £31 per user per month (or §33.75 in the US). Many of Microsoft’s security products are available only in E5, and adding something like the Priva Privacy Risk Management service will add another £4.10 per user per month ($5 in the US).

While Microsoft’s pricing strategy might have resulted in bumper revenues for its security business, it has come at a cost to users.

Directions on Microsoft analyst Wes Miller said: “Customers need the tools to keep their organizations secure without having to pay more and more every year for Microsoft’s latest top-shelf security services — which keep moving to higher and higher shelves.”

The solution would be to fold more security products into Microsoft’s standard subscriptions, although this would risk those revenues as well as potentially attract the attention of anti-trust regulators.

Still, according to Directions’ Mary Jo Foley, “It’s not completely out of the question that Microsoft could make core security features part of more of its subscriptions. It did make a couple of concessions on that front after a couple of much-publicized attacks last year.”

Indeed it did. In 2023 Microsoft said it would provide all customers free access to cloud security logs in an effort to “increase the secure-by-default baseline” of its cloud platform. Users would be forgiven for wondering why the company stopped there.

Foley asked: “Will Microsoft bend further and make security core to more of its cloud subscriptions to help lessen the impact of attacks, not to mention bad publicity?”

We asked Microsoft, and will update this article if the company responds.

It is almost 20 years since Microsoft had a radical rethink around security and released Windows XP Service Pack 2. With the company’s recent security failures being classed as a national security issue in some quarters, it is high time for the company to think the unthinkable, and perhaps sacrifice some security revenues in order to ensure more customers are, in its words, secure-by-default. ®