Microsoft’s announcement earlier this month that it would set internet macros to be blocked by default in Office applications is causing quite a conundrum for financial institutions and the security providers that work with them.
In the wake of reignited reports that North Korean threat actors have been sneaking their ransomware payloads into businesses — including financial firms and their small- and mid-size business customers—through Visual Basic Application macros in Microsoft Office led to the software giant’s security decision. VBA macros in particular are often used in Microsoft’s ubiquitous Excel spreadsheet program so that enterprises (small and large) can make their own custom-generated functions, and enable Excel users to speed up their common tasks and take shortcuts. VBA macros can also be used to access Windows APIs.
Earlier this month, a post on the Microsoft corporate site said: “VBA macros are a common way for malicious actors to gain access to deploy malware and ransomware. Therefore, to help improve security in Office, we’re changing the default behavior of Office applications to block macros in files from the Internet.” Hence, when Office users open files from the Internet that contain macros, including email attachments, the users will receive a message that highlights the “security risk... [which has] blocked macros from running because the source of this file is untrusted.”
But given Microsoft Office’s long-standing omnipresence — particularly Excel and especially in financial institutions and finance departments, where many smaller community banks are practically run internally on Excel — some industry observers are looking askance at the idea of shutting down outside macros, as a step that will greatly undermine the efficiency of financial service companies.
“As we’re working closely with partners from the financial and banking sector, we understand that macros play an integral part of our client's business workflows,” said Michael Tal, technical director for Votiro, a cloud-focused security company. “With the news of VBA macro documents being blocked by default and then later with Microsoft’s decision to roll back the changes based on feedback received, this can cause a massive hindrance on business productivity.”
More than 3.7 million companies worldwide (at least 1.2 billion users) were using Microsoft Office 365 as of last year, giving it 54% of the market, according to data from Enlyft. Financial services is one of the top five industries using Office, with more than 90,000 financial enterprise users globally, per Enlyft.
Tal, a former member of the Israeli Army’s intelligence force who currently works closely with dozens of large financial organizations, pointed out that “macros are a powerful tool in the financial sector, as they are used to create robust financial modeling, calculate loan interest, automate repetitive, labor-intensive tasks, they are recorded sets of actions which can be run to save time and labor.”
Excel macros are also often used to simplify budget forecasting and “makes a difference in a day-to-day workload of any entity who's using it as it speeds up the process to generate a task after finalizing the creation of the macro and setting the variables,” Tal added.
Jonathan Golan, a long-time certified professional accountant and investment professional, pointed out that when macros are used by financial services companies like funds and private equity firms, “it is generally in financial modeling.” For example, macros can enable someone to insert a pool of assets into a model “instead of copy-pasting a row 1,000 times.”
“Obviously, macros save time for those who are using them,” Golan added. “Blocking them can hurt productivity because you’re going to have to do those manual and routine tasks on your own.”
However, balancing security with convenience and productivity is a juggling act that is likely to remain for a long time, particularly for efficiency-focused financial institutions.
In the second half of last year alone, Votiro witnessed 634,203 threats against financial institutions, according to a report released in February.
“With Microsoft's intentions to combat Emotet, Trickbot, Qbot, Dridex,” Tal added, “[Microsoft] will have to come up with a much more creative approach to deal with legitimate business use macros and allowing the continuity of the business without compromising on security.”