CyberVoices

Microsoft just hit a record high of 1,360 reported vulnerabilities in its software last year. While that number might sound scary, it’s part of a trend we’ve seen for years. The real problem lies in what’s behind the numbers and what they mean for Canadian businesses trying to stay secure in a fast-moving world. 
 
As BeyondTrust’s latest Microsoft Vulnerabilities Report reveals, one type of security risk is especially alarming: elevation of privilege (EoP). This category made up 40 per cent of Microsoft’s total reported vulnerabilities in 2024. That’s not just a statistic; it’s a wake-up call.   

What’s elevation of privilege and why should Canadians care? 
 
Imagine someone finds a way to break into your office using a stolen key card. That’s what an elevation of privilege attack is like in the digital world. Once inside, hackers can quietly move through your systems, taking control of sensitive data or expanding their access without being noticed. 
 
These attacks often begin with compromised credentials, sometimes even from non-human identities like service accounts. The problem snowballs from there. We’ve seen it over and over in major data breaches: attackers find one weak point, then jump from system to system. 
 
And Microsoft isn’t the only target. If 40 per cent of their vulnerabilities are EoP-related, imagine how many other software platforms that Canadian companies rely on could also be vulnerable. 
 
The rise of security feature bypass attacks  

Another disturbing trend is the spike in security feature bypass vulnerabilities, up 60 per cent since 2020. These are loopholes hackers use to get around built-in protections in tools like Microsoft Office and Windows. 
 
Think of these bypasses as digital “unlocked doors.” If an attacker finds one, it doesn’t matter how strong your locks are, they’re walking right in. Tools like EDR (endpoint detection and response) are meant to stop threats, but attackers are finding ways around them too. We’ve seen the rise of tools like EDR Killer that are designed specifically to sneak past these defences. 
 
Why Canadian companies can’t rely on just one layer of security  

Some businesses still make the mistake of thinking one product or platform will keep them safe. But cybersecurity isn’t about one silver bullet. It’s about layered defences, also known as “defence in depth.” 
 
For example, if a patch causes problems or breaks other tools, companies might delay applying it. But that delay gives attackers a window of opportunity. The better approach? Have multiple layers of protection in place, especially for front-line systems and high-risk assets. 
 
Microsoft Edge: The new problem child?  

One surprise in this year’s report was the jump in Microsoft Edge vulnerabilities. Critical issues rose from 1 to 9 and total vulnerabilities increased from 249 to 292. Has Microsoft shifted its focus too much toward Azure and Dynamics 365? It’s a question worth asking, especially when everyday tools like browsers are often the first entry point for cyberattacks. 
 
AI brings new benefits and new risks  

Artificial Intelligence (AI) is transforming how businesses operate, but it’s also opening the door to new threats. Microsoft Copilot Studio and Azure Health Bot, for instance, were flagged for AI-related vulnerabilities in this year’s report. 
 
AI is already being used by threat actors to automate attacks, identify weaknesses faster and even write malicious code. We haven’t yet seen a large-scale attack where an AI or large language model (LLM) becomes the main infection point, but that day is coming. 
 
The biggest question on the horizon: can we trust the output from AI tools? What if the answers, code or insights we get from AI are secretly manipulated by a hacker? Canadian companies need to think about how to secure not just their AI tools, but also the data and systems that feed them. AI security can’t be an afterthought; it must be built into every layer of your defence strategy. 

The power of “least privilege” in a “zero-trust” world  

One of the most effective ways to reduce risk is by applying the principle of “least privilege.” It’s not a new idea, but it’s more important than ever. 
 
“Least privilege” means giving every user—human or machine—only the access they absolutely need to do their job. Nothing more. If someone doesn’t need admin rights, don’t give it to them. If a service account only needs access to one system, don’t let it roam freely. This approach limits the damage if (or when) something goes wrong. It’s also a key part of a “zero-trust strategy,” which assumes no one and nothing should be trusted automatically, even if they’re already “inside” your network. 
 
In fact, many organizations confuse “zero trust” with “least privilege.” The difference is that “zero trust” is the overall strategy, and “least privilege” is a tactical way to enforce it. A practical step Canadian companies can take right now? Audit your users and systems. Who has access to what and why? You might be shocked by how many people or services have more access than they actually need. 
 
Identities are the new perimeter  

Cybersecurity used to be about building firewalls around a company’s data centre. But in today’s world of cloud apps, hybrid work and global supply chains, identity is the new perimeter. 
 
Attackers are no longer just looking for software flaws. They’re targeting people, especially those with access and privileges. That includes your employees, partners, contractors and even automated systems. 
 
That’s why privilege access management (PAM) and identity-first security strategies are so critical for Canadian businesses. These approaches don’t just monitor threats; they help stop them at the source by locking down who can do what, where and when. 
 
The bottom line going forward  

Cybersecurity isn’t about being perfect; it’s about being proactive. You can have 99.9 per cent of your environment locked down, but if there’s a .01 per cent vulnerability, that’s all an attacker needs. 
 
Canadian organizations need to shift their mindset from reactive to proactive. That means applying patches smartly, layering defences, adopting AI cautiously and putting “least privilege” at the heart of your security program. 
 
Because when it comes to protecting your business, every identity and every privilege matters.

Dan Deganutti is the senior vice president and country manager for Canada at BeyondTrust, where he leads the company’s Canadian go to market (GTM) operations and fosters relationships with clients and business partners.