Granted, such low-level activities don’t produce the same worker anxiety or organizational confusion that downsizing and M&As do — and, thus, don’t present the same opportunities for hackers. However, Carruthers says they still create changes that hackers can use to their advantage. “They all breed opportunities for attackers.”

Carruthers knows firsthand how effective such hacker strategies are. Her team of ethical hackers runs exercises that start by gathering information from six months’ worth of announcements, blogs, social media posts, and online forums where employees share their own thoughts. Then her team determines where and how to strike based on that information-gathering, just as hackers would. She says her team might use something positive against the company by crafting a phishing campaign that says a popular employee perk is ending. Or the team might seize on a migration to a new technology to more easily get employees to share login or credential information.

Although CISOs can’t shut off the flow of news, they can counter hackers’ ability to successfully use it against their organizations, Carruthers says. They can monitor OSINT about their organizations, work with other executives on announcements and the timing of those announcements, and run simulations on how such announcements play out from a business perspective. All that helps CISOs and their teams see what hackers see, better understand their thinking and prepare for possible targeted attacks.