This is the second part of a four-part blog series covering each of the four phases of the merger & acquisition (M&A) process and how you can build security into each phase. In case you missed it, Part 1 covered why it’s important to integrate security into the due diligence process in the first phase of M&A.

Today, Netskope announced it has been awarded, through SEWP Prime Anacapa Micro and distributor Merlin Cyber, the industry’s first Secure Access Service Edge (SASE) U.S. Federal Civilian Government contract in history, led by the United States Patent and Trademark Office (USPTO). This is a significant industry milestone as traditional, perimeter-based approaches to security will no longer work in a mandated cloud-first environment where data can be accessed from anywhere.

Every year Verizon releases the Data Breach Investigations Report (DBIR), covering some of the biggest trends in data breaches across industries, highlighting the common causes for breaches as well as trendy attack vectors. And every year, when it is released, my inbox is immediately hit with questions from colleagues and customers asking how Netskope can mitigate each of the issues raised. So this year I thought I would share my analysis more widely.

In April 2022, Netskope Threat Labs analyzed an Emotet campaign that was using LNK files instead of Microsoft Office documents, likely as a response to the protections launched by Microsoft in 2022 to mitigate attacks via Excel 4.0 (XLM) and VBA macros.

If you read the news, you already know that we’re seeing a huge uptick in mergers and acquisitions (M&A). Global M&A volumes hit a record high in 2021—increasing by 64% over the previous year and topping $5 trillion for the first time ever. This activity continues to surge in 2022 as companies use M&A to manage the still-unpredictable economic effects of the COVID-19 pandemic and find their strategic footing.

Many technology professionals have experienced the sense of frustration that occurs when multiple tools in their environment do not play nicely with each other. When technology leaders are making decisions about bringing new tools into their environment, they should be thinking about more than whether the platform is just a shiny new object that adds a new capability to their team.

If it wasn’t clear already, the RSA 2022 Conference highlighted that zero trust is the conversation every technology vendor wants to have and somehow associate with their products. This week at InfoSec 2022 we are seeing exactly the same. But how should an organisation weed through the hype to understand true value? Zero trust is certainly not a new concept.

Behind tremendous interest in zero trust security and its crucial role in the SASE journey, many practitioners choose zero trust network access (ZTNA) as their first step toward transformation. If you are planning a ZTNA project, here are some ideas and tips that can increase your odds of success and provide a smooth transition from legacy remote access VPNs to ZTNA.

It’s been over two years since offices around the world closed their doors, sending employees to work from home to ride out a series of pandemic lockdowns. Those two years saw a succession of commands to close, reopen, close again, and reopen again, during which office workers in many industries embraced remote work and the benefits of eliminating the commute and providing a better work-life balance.

Security transformation is upon us, and the global pandemic further accelerated macro-trends such as work-from-anywhere that were already well underway. But with so many ideas now competing for airtime when it comes to describing that transformation and how to do it successfully, security professionals could be forgiven for thinking that the right moves and the good advice are getting buried under an avalanche of marketing, buzzwords, and acronyms.

It is a sentence I hear a lot; “We treat Microsoft 365 as an exception in our cloud security because it is a managed app.” You might think that’s a reasonable approach to take, after all Microsoft’s security credentials are impressive, all OneDrive app traffic is encrypted, and there are plenty of other unmanaged cloud applications in use as shadow IT all over your organisation that pull your attention.

The role of information security in modern enterprises is evolving like never before. Security will need to improve third-party oversight as organizations increasingly depend on outsourcing models for scale flexibility, efficiency, and cost savings. It will also need to do a better job of balancing security requirements (e.g., regulatory compliance, risk management) against business objectives (e.g., user experience, network performance, reducing costs).

It’s no secret that the security leaders, especially chief information security officers (CISOs), have one of the most stressful jobs in the C-suite. They are bumping up against high demand, high risk, and often unrealistic expectations for their work.

In March 2022, researchers spotted a new ransomware family named GoodWill, with a new method to collect the ransom. Instead of requesting payment through crypto coins like other threats such as Night Sky or Hive, GoodWill requests that its victims help vulnerable people by following a sequence of steps, such as donating clothes, feeding less fortunate children, or providing financial assistance to hospital patients.

By 2025, there will be 55.7 billion connected IoT devices (or “things”), generating almost 80B zettabytes (ZB) of data. These are just some of the statistics that underscore enormous opportunity in IoT—and the enormous security risks all those IoT devices create.

On May 27, 2022, a Microsoft Office document was submitted from Belarus to VirusTotal, using a novel method to deliver its payload. This new technique was identified as a Zero-Day RCE (Remote Code Execution) vulnerability in Microsoft Support Diagnostic Tool (MSDT), which is now being tracked as CVE-2022-30190. As of this writing, it affects only Windows computers running with MSDT URI protocol enabled.