The Essential 8 Series: What are Microsoft macro settings?

We have now reached the third instalment of our comprehensive Essential 8 series, wherein we will discuss the crucial topic of configuring Microsoft Office macro settings.

Microsoft Office applications in the public sector commonly utilise macros to automate routine tasks. Macros are popular and efficient tools for repetitive processes. However, it’s important to note that macros can potentially contain malicious code, leading to unauthorised access to sensitive information during targeted cyber intrusions. They can even be exploited to download additional malicious software. To mitigate this risk, Microsoft Office environments can be configured to block macros originating from the internet or those not recognised as trusted.

Essentially what this means is that macros should be completely disabled by default in any organisation, and if any macros are needed to be used, then they would need to be vetted by the administrator of the IT systems. 

Think of a personal assistant (macro) who does all your routine tasks for you automatically in the background. Now let’s say you hired them without checking their resume or calling any of the listed references (macros running by default). Without doing a background check (vetting) of the personal assistant, you could run the risk of them becoming  rogue (malicious code) and having access to all your systems. Before they would be allowed to work in your organisation you would make sure they went through the right process, so you had the right candidate (trusted macro).

So why should I care?

Due to various factors, such as the high volume of emails staff members handle daily (ranging from 100 to 200), they may find themselves frantically jumping between messages in an attempt to respond promptly. In this process, if they receive an email containing an invoice, they might click and open it, only to realize it is not relevant. Although they delete the email, the potential harm has already been done, as a malicious macro could have executed during the process.

How can this be fixed?

One of the most effective approaches to address this issue is implementing a comprehensive policy within your organization that disables the execution of all macros by default. By adopting a blanket rule, you create a proactive security measure that minimizes the risk of macro-based threats. However, it is important to consider potential exceptions to this rule. In certain scenarios, such as working with banking spreadsheets or similar specialized applications, macros might prove necessary. In such cases, it is advisable to seek guidance from your IT provider, who can offer expert insight and assistance in identifying and approving only those macros that have undergone thorough vetting and are deemed safe for execution within your organization. Consulting with IT professionals ensures that you strike a balance between maintaining security and enabling the legitimate and secure use of macros when required. By doing so, you can effectively mitigate potential risks while still accommodating specific business needs that rely on macros.