Cybersecurity, you won’t be surprised to learn, ranks as the number-one IT concern for acquirers. It’s the single biggest risk. From the potential loss of vital intellectual property (IP) or customer data to sheer costs and reputational risk, it’s all-encompassing. In this article, we will review the different types of cybersecurity risk that lurk out there, as well as ways to identify and mitigate them.
But let’s start with a definition. What, exactly, is “cybersecurity”? For the purposes of this article, it refers to the protection of any electronic data that resides or passes through a company’s infrastructure. We’ll often talk about data that’s “at rest” or “in flight”; the former refers to data that’s stored (say, in a company database in a company or cloud server), while the latter refers to data that’s being transferred: anything from an internet download to email.
Risks of cybersecurity lapses
Brace yourself. Nothing we’re about to discuss is pretty. When Company A sets its sights on buying Company B, the cybersecurity stakes couldn’t get any higher. A breach could result in:
• IP theft, loss, or transfer to a foreign nation-state actor
• Loss of confidence in a company’s product or service
• Damage to a company’s product or service
• Theft of PII, a.k.a. personally identifiable information—for anyone from employees to customers. We’re talking about things like phone numbers, email addresses, and Social Security numbers.
• Password theft
• Reputational damage
These are the kinds of things that keep acquirers up at night. Due diligence—which takes place prior to the acquisition—helps, but it only provides a guess of the threat posture, the areas of the attack surface, and the cost of remediation. And trust us: there’s always remediation.
Once the deal for Company B is inked, then you’re allowed—finally—to go in and see what awaits you.
Points of vulnerability: What to look for
There are lots of things to check out when you get into that acquired company. They include:
• Outdated software, missing patches, and/or a missing patch program
• Network configuration and potential attack vectors: How many data centers? Do they use the cloud? How many points of entrance are there?
• Anything home-grown
• Outdated hardware
• Misconfigured hardware or software
• What data are they storing? Do they really need, for example, the Social Security numbers of all customers or employees?
Note that the risk goes up with what’s known as PCI DSS: Payment Card Industry Data Security Standard. What hacker wouldn’t want a trove of valid credit card numbers?
Making an assessment
Once you get in the door of Company B, start asking questions. Look at the organization structure. How many employees are there? Do they have executive-level IT leadership, such as a Chief Information Security Officer? What does their patch program look like? Do they employ encryption (and if so, what kind) for data that’s at rest and in flight?
Once you’re allowed to, you’ll need to scan the company’s network, both from the outside and the inside. This will tell you what systems they have, and if they’re patching them properly. If you see, for example, 400 servers, and detect that 350 of them haven’t been patched in a year, you’ll know you’ve got a long road ahead of you.
Then there’s penetration testing, a.k.a. pen testing, a.k.a. white-hat hacking. You’ll want to see if you can break in—because if you can, others can.
Look at the company’s disaster recovery (DR) and business-continuity plans. Are they in place? Are they solid? Check out the insurance policies they maintain for both.
This is, by far, the biggest chasm for would-be acquirers. Again, ask questions. Don’t be afraid to be basic: “How’s morale?” Do some social engineering. Mingle with the team members. Find out who the players are, where the cliques exist, and who’s doing what.
Then do what might be called a “vendor sweep.” Vendors have special access, and they’ll come and go. That’s a vulnerability. See how chummy Company B’s team is with the vendors. Are the relationships too cozy? At best, was a vendor allowed in who’s simply a family friend and not properly vetted for credentials and certifications? At worst, is there a chance of back-room deals or payoffs? Is there a culture of complacency within Company B when it comes to the vendors? Are they allowed to simply waltz in at will, and do whatever they like? Do they have remote access?
Think of the flip-side of the “chummy” relationship—and you’ll probably shudder. What if a trusted vendor has an axe to grind with Company B? What kind of damage might they inflict? What if they possess the equivalent of tribal information—and then leave? It’s just like losing a key employee.
Hiding in plain sight
You could buy a company that appears to be 100-percent patched and compliant—yet if one person made a mistake or forgot something, that could open a gap. And that’s all it takes.
It could be an employee who didn’t know what they were doing. It could be a kid who downloaded tools from GitHub and stumbled into your network. Or it could be hackers in China, intent on exfiltrating your IP and using it against you. That’s the most insidious type of attack, because these kinds of hackers cover their tracks. They don’t “steal” data; they simply copy it and leave. Others may want to inflict maximum damage and employ, say, ransomware (think of the recent attack on Sony). Fact is, the moment your acquisition makes the news, bad actors will be banging on your firewall. You can count on it.
So when are you done?
Once you’ve successfully integrated Company B, your work is done, right? Wrong. Cybersecurity is an ongoing process that doesn’t end until you divest yourself of Company B.
Remember: M&A value creation happens when you address technology considerations and deliver measurable execution to mitigate cybersecurity issues.
Need help with the challenges and execution? Contact Ensunet today. We specialize in post-merger integration and cybersecurity, with the support of $11 billion in worldwide acquisitions under our belt. We’re ready, willing, and oh-so able to help you.