Microsoft ties employee pay to security after IT outage

After a global IT outage affected Microsoft products last month, the company has made security a key criteria for performance management, an internal memo shows.

As first reported by The Verge, Kathleen Hogan, Microsoft’s chief people officer, told employees that “Delivering impact for the Security Core Priority will be a key input for managers in determining impact and recommending rewards”.

In mid-July, a flawed update by third-party cybersecurity firm CrowdStrike disrupted Microsoft systems around the world. Just two weeks later, the software giant then suffered a cyberattack that caused its systems to shut down for eight hours.

By linking employee rewards to security, the company appears to be warning its workforce that they could now pay the price for future security breaches.

“Security above all else”

2024 should be a year of celebration for Microsoft. The company was founded 50 years ago, but the anniversary has been overshadowed by a spate of security breaches which have marred the firm’s reputation as a reliable IT and software provider.

The memo, which has been printed in full by The Verge, tells Microsoft team members that security is now a “Core Priority” for the company. “When faced with a tradeoff, the answer is clear and simple: security above all else,” says Hogan.

Alongside DEI, the HR change means every employee at Microsoft will now be judged on how they are contributing to this priority in their appraisals.

Hogan says this “is a way for every employee and manager to commit to—and be accountable for—prioritising security, and a way for us to codify your contributions.”

The new policy means that, if a worker is found not to have prioritised security during their annual or monthly performance reviews (these are known as “Connect” meetings at Microsoft) they may be ineligible for promotions, merit-based salary increases, and bonuses.

According to Hogan, employees will need to provide evidence of their commitment to security themselves, by recording any progress made in the internal Connect tool.

Security upskilling

Training employees to recognise basic cyber attacks, such as phishing scams or fraudulent business emails is common practice at most office-based businesses.

As a global software brand, the stakes are higher at Microsoft. Yet upgrading security to a core priority could be smart for organisations, given the threat that cyber fraud today poses.

In its April 2024 report into cyber breaches, the UK government found that 50% of firms had experienced some form of cyber security breach or attack in the last 12 months. On average, each attack cost the company approximately £1,205.

The report states that harsher economic conditions are creating a rise in the number of opportunistic cyber criminals. With the rapid advancement of technology also creating more sophisticated scams, the likelihood of suffering a cyber attack is increasing.

IT teams may be able to recognise the signs of an attack, but the wider team may be less equipped to do so. Regular training for the entire workforce on security is therefore recommended for UK businesses today in order to minimise risk.

Should staff bear the brunt of breaches?

Upskilling workers in security is good practice. However, by linking learning to remuneration, Microsoft could send the wrong message to staff and potentially create a toxic work culture.

This type of leadership style is known as transactional leadership. Designed to inspire employees by rewarding high-achievers with bespoke benefits and perks, it can also inadvertently tell employees that they will be punished for making a simple mistake.

SMEs may not wish to take such extreme action. Instead, it might be more productive to build a supportive culture by providing training separate to employee bonuses.

That way, if an attack does happen, the victim does not suffer the consequences and can feel safe to inform a manager that a problem has occurred.