PowerPoint Security Vulnerabilities and How to Protect Yourself

Vector of Internet Security Systems.Today, I’ll talk about something we as a presentation community don’t discuss nearly enough: security—specifically, how security relates to our beloved PowerPoint.

If you are a regular here at PresentationXpert, and I hope you are, you know that PowerPoint is a powerful program used for numerous purposes beyond presentations, something black hat hackers (aka “the bad people”) use to their advantage.

While researching this article, I viewed Sami Laiho’s course, Windows: How It’s Hacked, How to Protect It published with Pluralsight.

Laiho argues that PowerPoint is “by far the easiest way to penetrate a company nowadays” (m3-04 @1:09). Though his course is designed more for IT Admins than for presentation experts, it nevertheless made me realize that as a PowerPoint consultant and trainer (with direct contact with end-users who share and open files from a variety of locations), I do not take nearly as many precautions as I should nor stress the importance of such precautions to my PowerPoint students.

Well, that changes now.

Why So Serious?

Total cybercrime damages reported to the Internet Crime Complaint Center (IC3) in 2014 was a whopping 800.49 million US Dollars, not including smaller complaints reporting a loss less than $100,000. The average cost of a cybercrime attack in the US was 15.42 million US dollars (as of August 2015).


In short, this stuff costs money—to businesses, you, me, everyone. Not to mention, it can be a real time-suck and, depending on the data breached or stolen, reputation damaging.

In the United States, malicious code accounts for 24% of the attacks. That might not seem like much, but when compared to other attack types, especially ones that get more “press time” like viruses, worms, and Trojans, it’s a decent piece of the metaphorical pie.


Malicious code gets into organizations or home computers in many ways, most of which are outside the scope of this article. But PowerPoint IS an underappreciated source.

How Hackers Use PowerPoint to Infiltrate Businesses

After viewing his course, I contacted Sami Laiho, the author, and one of the world’s leading Windows OS experts, and asked what makes PowerPoint such a vulnerability. He said:

“[PowerPoint] is a tool that can be hard to resist from opening as it can be a demand from your boss that you are required to open or a super entertaining presentation from your best friend. It is a perfect tool for socially engineering people to open its contents.

From a hacker’s perspective, it is a tool that easily allows one to attach code and commands for the computer, hidden behind interesting or sweet pictures and other sorts of media. I’d say if you get one of these you might open it depending on what kind of person you are:
• Click to see the most adoring babies of 2015
• Click to see the most beautiful fitness models of 2015
• Click to see the numbers your salary was based on in our company in 2015″
• Click to see the cutest kittens of 2015
• Click to see the real numbers on how much money the owners of Tesla motor really earned in 2015″

While you might think that you would never download or click on something so ridiculous as the above, you’d be amazed. Hackers are smart. Sami says that “security is 25% technology and 75% psychology.” It’s a chess match, and you are not the opponent; you’re the hacker’s pawn. And all the hacker is trying to do is get you to click.

Malicious code can be attached to a presentation using a shockingly simple technique many of us already know: inserting an action.


Assigning an action to a clickable button or picture, where all the user has to do is click or hover their mouse over the image, could potentially trigger a malicious program used to penetrate your organization. There are other ways too: macros, ActiveX controls, data connections are all potentially unsafe actions depending on the content and intent behind them.

So, Is PowerPoint Safe?

Yes, of course. The vast majority of the time, in fact. PowerPoint is a tool, like a hammer. Is a hammer safe? Inherently, yes. Can it be dangerous? Of course! Like any tool, PowerPoint’s impact depends on the user—something as true for cybersecurity as it is for presentation design.

Actions, macros, and ActiveX controls are not inherently dangerous, and PowerPoint includes many safeguards against malicious code. The problem is, many safeguards are left outdated or disabled by unsuspecting, overly-trusting and/or easily annoyed users. These safeguards include:

1. Windows User Account Control
2. Trusted Locations
3. Security Alerts
4. Safe Mode
5. Protected Views

With recent new threats, Microsoft is ramping up security precautions. A new addition to Office 2016 allows IT administrators to block macros from running in Word, Excel, and PowerPoint if the file originated from the Internet. Your company’s IT department will also have other protections (hopefully), like Firewalls, anti-malware, and such—combined, these measures protect computers considerably.
But despite these safeguards, ultimately, it is up to you, the user, to be discerning in how, when, and from where you open PowerPoint files, and to be smart when you encounter a suspect file.

How to Protect Yourself

1. Keep your software up-to-date.
This one is a big one. Software companies have their work cut out for them just getting a product to the public, and maintaining that product is even more impressive. To keep you safe, developers push out patches for discovered bugs and vulnerabilities ASAP. But that only works if you install updates.

In Office 2016, you can check for Office updates right from within an Office App. Just jump to the backstage view, and click Account. From there, you should see the option to check for updates to the right of the screen:


2. Don’t download/open/click on any files (PowerPoint or other) you don’t know or trust.
As a rule, do not trust anything free—there is always a hidden price. Most of the time, companies just want your email address, but hackers want a bit more, like a ransom.  Also, trust is a funny word here. You might trust your elderly father with a lot of things, but if you regularly have to explain the difference between the Facebook public wall and a private message, be extra cautious when he sends you files and attachments.

3. Enable User Account Control, and Leave It On
I might even suggest ramping this setting up a bit in Windows 8 or 10. Just search Windows for the term “User Account Control Settings” and change the notification level slider to “Always notify me when:”

Yes, you will get more alerts from Windows as a result, but weighing the risk vs. reward…trust me; this one is worth it.

4. Enable Protected Views, Safe Mode, and Security Alerts, and Disable Macros
You can access these options by going to your File menu, to Options, to Trust Center, and clicking on Trust Center Options.


For detailed instructions on adjusting these settings, see this Microsoft Office Security Support Articles.

5. Contact Your IT Support Desk Immediately Should Anything Unexpected Occur
Don’t ignore pop-ups and for the love, do NOT just click OK without knowing what you are clicking OK to. When in doubt, ask your IT folk. Yes, they might groan and roll their eyes, but you’ll be doing them and your company a favor by being cautious.

6. Educate yourself about recent threats, scams, and vulnerabilities.

FBI Website
Incidentally, popular news channels and Facebook are not usually the places for info about recent threats. One great source, unsurprisingly, is the FBI’s Cyber Crime webpage. Yes, the FBI has its own, well-written Cyber Crime News roll cataloging the latest attacks and scams.

Microsoft Malware Protection Center
To stay up-to-date on Microsoft-specific threats, the Microsoft Malware Protection center has its own blog here, as well as a Twitter feed.

PBS has a series of web courses on NovaLabs, one of which is a Cybersecurity Lab with high-quality educational videos, quiz questions, and even a game to guide you through issues of cyber security, hacking, privacy, and cyber codes.


Cybersecurity 101 PDF
This is a short, 2-page PDF publication for the Stop. Think. Connect. ™ Campaign put out by the Department of Homeland Security. In it, there is some useful information and links on how to report cyber incidents.

In short, no one way of protection listed above will keep you safe. It takes a combination of these protective features and your diligence to keep you PowerPoint-ing safely in the 21st century.

About Heather Ackmann:

Heather Ackmann - HeadshotHeather Ackmann is a Microsoft MVP and full-time author and trainer for AHA Learning Solutions, specializing in Microsoft Office, business professional, and soft skills training videos and educational materials. In her spare time, she enjoys blogging at heatherackmann.com and crocheting hats and scarves for her children who refuse to wear hats and scarves. Follow her on Twitter @heatherackmann and Docs.com/heather-teaches. You can download her free book Conversational Office 2016 here

Pin It on Pinterest