Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

M&A Tracker

How M&A Activity Can Open the Door to Cyber Threats

Mergers and acquisitions (M&A) can be exciting, offering companies a significant platform for growth. According to the Deloitte M&A Index 2016, global M&A activity reached record-breaking deal values in 2015 at over $4 trillion, with the resulting deals expected to add $1.5 to $1.9 trillion in value to these companies.

Mergers and acquisitions (M&A) can be exciting, offering companies a significant platform for growth. According to the Deloitte M&A Index 2016, global M&A activity reached record-breaking deal values in 2015 at over $4 trillion, with the resulting deals expected to add $1.5 to $1.9 trillion in value to these companies.

But while mergers and acquisitions propel companies forward, the M&A process also fuels significant opportunities for cyber criminals. Failure to secure sensitive information during this time opens the door to threat actors looking to profit by exploiting financial markets and proprietary intellectual property (IP).

Understanding the cyber risks present along the M&A process is the first step toward mitigating the risk. While each process will have its own nuances, all tend to follow five general stages. Along each stage new risks emerge and advanced attackers, well-versed in corporate espionage techniques, stand to profit. Here’s a brief look at each of the stages and the types of risks and possible degradations in security posture that may occur.

M&A Cyber Risks1. Preparation for acquisition and/or valuation. Organizations are vulnerable to threats right from the start. Job listings for positions that require corporate development or other M&A-related experience, or activities like another round of funding or other initiatives to boost the company in the eyes of deal makers, can be clues that M&A activity is in the offing. Astute financial analysts may draw their own conclusions based on activity and start to comment. Meanwhile, sophisticated threat actors who have picked up the scent may target executives typically involved with such activity with spear-phishing campaigns, man-in-the-middle malware attacks, or simply through unsecured wireless Internet connections. Not only is the deal exposed earlier than intended, possibly leading to a host of complications, but information gained can be highly valuable to those with nefarious motivations.

2. Marketing. As companies move through the process they may alter their marketing behaviors. To the public these marketing activities may appear innocuous. But to a trained eye an identifiable pattern and opportunity can emerge. A company slowing down its cycle of product announcements or showing strength in profitability while quietly reducing staff can raise suspicion. Employees who have lost their jobs may start to leak information and further tip off cybercriminals who may launch spear-phishing campaigns to confirm their suspicions and acquire valuable data.

3. Due diligence. This stage of the process can provide executives with opportunities to gain significant insights to help reduce risk, but it can also provide cybercriminals with significant opportunities to steal data. The acquiring company has the chance to review the security and integrity of the systems of the company they are merging with and understand how to mitigate risk before finalizing the deal. At the same time, both companies may experience an increase in spear-phishing attempts as attackers strive to take advantage of a surge in data that exchanges hands during due diligence.

4. Negotiations, signing and announcements. Organizations that lack social media policies, mobile device management and endpoint protection may find data leaked inadvertently as the end of the M&A process approaches. While all employees should be vigilant at this stage, executives are particularly susceptible to leaking data. Poorly secured personal devices and the use of public wifi to review documents while on the road or in meetings provide bad actors with ample opportunity to steal high-value data. Once the announcement is made, the doors will open even wider and less sophisticated attackers will also try to profit or cause disruptions.

5. Waiting period and final merge. The main risk at this stage is from employees who fear a job loss or change and may leak IP or other data. If an attacker has established a foothold in a merging network, this is also an optimal time to monitor communications and patiently wait for deeper access or utilize that information for social engineering.

Clearly, vigilance is required at all stages of the M&A process, as a failure to secure sensitive information constitutes both a threat to the organization and an opportunity for bad actors. Individuals’ behaviors, unintentional clues and vulnerabilities in inherited network infrastructure and software can all open the door to cyber risk. However, organizations armed with these insights can better understand the threats they face and mitigate accordingly.

Advertisement. Scroll to continue reading.

Given the value to be gained once the companies are combined, it’s safe to say that ensuring successful integrations will be a priority on boardroom agendas. Security, both during the M&A process and after the deal is closed, will play a central role in positive outcomes.

Related: New FireEye Service Evaluates M&A Cyber Risks

Written By

Alastair Paterson is the CEO and co-founder of Harmonic Security, enabling companies to adopt Generative AI without risk to their sensitive data. Prior to this he co-founded and was CEO of the cyber security company Digital Shadows from its inception in 2011 until its acquisition by ReliaQuest/KKR for $160m in July 2022. Alastair led the company to become an international, industry-recognised leader in threat intelligence and digital risk protection.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

Thirty-five cybersecurity-related M&A deals were announced in February 2023

Funding/M&A

Forty-one cybersecurity-related M&A deals were announced in March 2023.

Funding/M&A

Forty cybersecurity-related M&A deals were announced in January 2023.