any legacy/near-end-of-life products which may no longer be receiving the expected vulnerability testing
            efforts.”

            Sometimes  M&A  activity  can  have  security  implications  on  a  scale  well  beyond  the  product  level.
            Consider the scenario hospitality giant Marriott International faced after acquiring the Starwood Hotel
            chain. What Marriott didn’t know was that Starwood’s IT systems had been compromised by hackers
            before the acquisition took place. In this case the hackers laid low, choosing to passively monitor their
            victim for many months and so the breach went undetected. After the two organizations were integrated,
            however, the hackers began siphoning off data, resulting one of the largest breaches of consumer data
            to date.


            While customers might expect to be informed of major changes to the products and services they use, it
            doesn’t always happen, and so the responsibility is ultimately on the enterprise to take ownership of their
            own security, even if that means assuming that any component, software, or application that it does not
            have complete control over is likely already compromised. From there, the organization must exercise
            diligent, continuous testing of all systems in order to ensure changes in status are detected, security gaps
            are identified, and proper action is taken to close those gaps quickly.

            It can be easy to think that, because a vendor or service provider markets their offerings on security, you
            don’t have to worry about it. But as the lessons of cybertheory tell us, organizations can’t rely on others
            to  address  their  data  security  needs.  Trust  not  in  third-parties.  Do  your  due  diligence  when  making
            purchasing decisions, and keep the conversation going. Pay attention to changes and, if one of your
            partners or vendors is involved in any market deals—directly or indirectly—find out what the implications
            are for your organization.


            Vendors and service providers should regard their customers and subscriber relationships as more than
            merely transactional. But just because you’ve invested your trust in them doesn’t mean they will continue
            to earn that trust. No organization is perfect; adversaries are counting on it.




            About the Author
            Gregory  Hoffer  is  CEO  of  Coviant  Software,  maker  of  the  secure,
            managed file transfer platform Diplomat MFT. Greg’s career spans two
            decades  of  successful  organizational  leadership  and  award-winning
            product  development.  He  was  instrumental  in  establishing  ground-
            breaking  technology  partnerships  that  helped  accomplish  Federal
            Information  Processing  Standards  (FIPS),  the  DMZ  Gateway,
            OpenPGP, and other features essential for protecting large files and
            data in transit.
            For more information visit Coviant Software online, or follow Coviant
            Software on Twitter.









                                                                                                              36