Amazon announced that it will be acquiring MGM Studios for $8.45 billion, in an effort to bolster the already growing Amazon studios and making it the second largest acquisition on Amazon’s part, following its $13.7 purchase of Whole Foods in 2017.
According to cybersecurity expert Mark Stamford, CEO of OccamSec, a deal of this scale will require a complete review of its cybersecurity infrastructure, as the process of fully merging these entities are rarely completed in the expected timescale.
- The standard “merger” due-diligence template goes into great detail looking at financial & legal status issues, but rarely seems to consider the potential liability associated with linking into an organization with a seriously compromised infrastructure.
- Trying to coherently map risks or produce an enterprise security plan for this type of environment is incredibly challenging, when multiple systems are coming together
- With such notable deals, most attackers reside within the organization’s network for over 100 days before discovery, so there is a very real risk of starting work on merging infrastructure, whilst being observed by an interested resident attacker, who will be keenly looking out for an opportunity to vector into the core organization’s networks
Mark says, “Exercising strategic due-diligence during a merger or acquisition, is the most effective what for any organization, like Amazon, to protect itself from cyber threats.”
We had the opportunity to ask Mark Stamford some questions as far as the merger and his expert opinion(s):
Q: What changes can be expected with a merger like the Amazon/MGM Studio merger?
MS: The merging of two different cultures always prompts a lot of changes. In this case, MGM is going to become more like Amazon than the other way round.
Q: Do the benefits outweigh the risks with this type of merger?
MS: Yes, I assume so, from a cyber perspective, the main risk is joining two networks together that have different structures, and probably issues. So, for example I was called in to help with some M&A work once, the new network was plugged in…and brought a heap of malware with it which quickly spread into the acquirers’ network. It later transpired that some of the IP, which was the very reason for the merger, had been stolen.
Q: What challenges is Amazon, an online retailer, facing when merging with MGM Studio?
MS: Both operate in different ways. The majority of movie making companies seem to follow the “if it ain’t broke don’t fix it” mantra. So, technology tends to be a hodge podge, along with processes etc.… Amazon meanwhile is a tech company, and while primarily known as a retailer, has considerable presence in the cloud (with AWS) so has a lot of cutting-edge technology at its disposal.
Q: What are some ways to help the process move along with ease?
MS: Again, in a cyber perspective there needs to be due diligence done on the MGM environment. At the same time, since both organizations probably have a range of security tools, seeing who has the best tool for the job can save money in the long term.
Also, not to be discounted is the human element in cyber security – any merger results in layoffs. So, the potential for a “disgruntled insider” increases. The way to help with that is communication – not more monitoring.
Q: How can Amazon prevent cyber-attacks during the process of the merger?
MS: MGM makes a nice target right now, since at some point their technology will be integrated into Amazon, and if I was a bad guy, I would assume they are the softer target of the two. Amazon should work with MGM to ensure their security is at a “good” level, and work on the integration aspects – two distinct cyber security teams need to become one, quickly.
Q: In your opinion, does Amazon face cyber risks from vendors or third parties with the onset of the merger?
MS: I think amazon always faces this risk, as does everyone. Since the organization is increasing in size, the “attack surface increases” so yes, they do face risks.
Q: What are the biggest cybersecurity threats at the moment?
MS: Motivated attackers, be that nation states, criminal groups, hacktavists, or others. Ransomware is getting a lot of press right now. However, I think the biggest threat is the endless cost spiral companies are trapped in trying to deal with this.
Q: What are some ways to ensure that the infrastructure is not compromised?
MS: Defense in depth continues to be the key. Layers of security, which work together, and consider the context of the organization (how it makes money or delivers its service) in order to support that mission. I assume Amazon will expand their cyber security program across MGM fairly quickly, which checks a number of boxes and provides a good starting point.
One issue may be that a movie studio faces different kinds of attackers than Amazon. Movie studios are primarily about their IP, everything else always seemed to be secondary to that. Stealing a movie is a different attack then ransomware, which we have seen borne out in practice (various insider attacks to steal content for example).
Q: What are your certifications in the cybersecurity field?
MS: I have been involved in cybersecurity since I was 11. Was senior penetration tester for a global consulting company, ran a security program at a global investment bank, and have been running a security company for 10 years.
Q: What does effective cybersecurity look like to you?
MS: Cost effective, business aware, and layered.