Super Cyber Fridays!
Join us TOMORROW, Friday [07-19-24], for "Hacking SOC Automation"

Join us Friday July 19, 2024, for “Hacking SOC Automation: An hour of critical thinking about how the line of what we can automate is changing.”

It all begins at 1 PM ET/10 AM PT with guests Edward Wu, CEO and founder, Dropzone AI and Caleb Sima, builder, White Rabbit. We'll have fun conversations and games, plus at the end of the hour (2 PM ET/11 AM PT) we'll do our meetup on Discord.

Register

Thanks to our Super Cyber Friday sponsor, Dropzone AI

Defense in Depth
Do Companies Undergoing a Merger or Acquisition Get Targeted for Attacks?

There's a common assumption that mergers and acquisitions put organizations at more risk of cyberattacks. Is there any data to back up this well-worn trope?

Check out this post for the discussion that is the basis of our conversation on this week’s episode co-hosted by me, David Spark, the producer of CISO Series, and guest co-host Christina Shannon, CIO, KIK Consumer Products. Joining us is Andrew Cannata, CISO, Primo Water.

The lure of an IPO is debatable

Does an IPO announcement makes you more vulnerable? Derek A. disrupted the idea, saying  "I went through a large M&A, announced in 2017. It was all over the news. We didn't see any measurable uptick in anything. I don't remember a single phish that was using the M&A as a lure." Even though Derek didn’t experience any attack attempts, their usage can be very effective in phishing attempts, noted Allan Alford of The Cyber Ranch Podcast, "I used a fake TechCrunch article about an impending merger as clickbait on a phishing test once. My previous click rates were down in the low single digits and they shot right back up over 30 percent with that one email. I even got the CEO to click. That's when I realized phish-clicking stats were useless. If it's compelling enough, people will click."

Does an IPO make you a target or just more vulnerable?

Making you a visible target is one possible issue of a merger. But another argument is that the act of a merger weakens both organizations’ security posture in this liminal time. "I have seen empirical data that clearly show a correlation to an overall drop in security posture scores post-merger announcement and even more after merger completion. As uncertainty looms, some of the ‘basics’ fall to the wayside," said Jeff Pick of Freeport-McMoRan. And if either company undergoes a breach during the merger, we can’t assume correlation equals causation. "Look at the FedEx acquisition of a European company. The Marriott acquisition of Starlight. It is hard to tell if these incidents occurred because they were targeted or changes that permitted the integration of the computing resources," cautioned Dwayne Smith, global CISO at PrismHR.

M&A changes your context

Mergers and acquisitions fundamentally change how you operate. Everything needs to be addressed. It’s not surprising that this impacts your cybersecurity posture. "In most cases, threat profiles change as the organizations involved in the M&A have different cultures, technologies, and processes which may conflict leaving confusions, disagreements, technology protocol mismatches, and integrations of systems. When the context changes, the threat landscape also changes," said Thilak Dharmananda of ES2 Solutions. But Rich Mason of Critical Infrastructure points out that there can be a silver lining, "A good due diligence process will uncover signs of previous or active compromise. The upside is that it can inform your go/no-go decision, and might be a factor in valuation."

Ambiguity creates risk

A merger upsets the stability of any organization. While this might make it easier to exploit the ambiguity, the reality is threat actors will look to strike opportunistically at any time. "M&A is the perfect time for the goons to slide through. All of the different business areas talking to new people across the bow they've never talked to before. All the things that gotta get done. Perfect time for a hacker to inject themselves into financial processes, recruiting processes, trouble ticket resolution, etc. But the real answer is any time is the perfect time,” said Corey Wrenn. 

Please listen to the full episode on your favorite podcast app, or over on our blog where you can read the full transcript. If you’re not already subscribed to the Defense in Depth podcast, please go ahead and subscribe now.

Listen to the episode.

Thanks to our podcast sponsor, Cyera

Subscribe
Subscribe to Defense in Depth podcast

Please subscribe via Apple Podcasts, Spotify, YouTube Music, Amazon Music, Pocket Casts, RSS, or just type "Defense in Depth" into your favorite podcast app.

LIVE!
Cyber Security Headlines - Week in Review

Make sure you register on YouTube to join the LIVE "Week In Review" this Friday for Cyber Security Headlines with CISO Series reporter Richard Stroffolino. We do it this and every Friday at 3:30 PM ET/12:30 PM PT for a short 20-minute discussion of the week's cyber news. Our guest will be Adam Arellano, former vp, enterprise cybersecurity, PayPal.

Thanks to our Cyber Security Headlines sponsor, Conveyor

Sponsored content
The Future of Attack Surface Management with NetSPI

With rapid development and agile methodologies, attack surfaces are dynamically changing along with code and infrastructure. Continuous monitoring and human-augmented analysis can help protect your organization's internet-facing assets, argues Nabil Hannan, Field CISO, NetSPI. Organizations need to build this into a part of their regular security hygiene.

Watch the video.

Huge thanks to our sponsor, NetSPI

Cyber chatter from around the web...
Jump in on these conversations

"Temu "confirmed" as Spyware by Arkansas Attorney General, yet Google still allows Temu ads" (More here)

"Worst experience using a cybersecurity product?" (More here)

"CISO's Paranoia" (More here)

Coming Up On Super Cyber Friday...
Coming up in the weeks ahead on Super Cyber Friday we have:

• [07-19-24] Hacking SOC Automation

• [07-26-24] No show

• [08-02-24] Hacking CISOs

Save your spot and register for them all now!

Thank you!
Thank you for supporting CISO Series and all our programming

We love all kinds of support: listening, watching, contributions, What's Worse?! scenarios, telling your friends, sharing on social media, and most of all we love our sponsors!

Everything is available at cisoseries.com.

Interested in sponsorship, contact me, David Spark.