Security Experts:

Connect with us

Hi, what are you looking for?


M&A Tracker

Did You Know: Browsing the Internet is a Risk to the M&A Process?

While mergers and acquisitions (M&A) are generally known for bringing economic growth and opportunity, people are beginning to realize that the process also brings serious cybersecurity risks.

While mergers and acquisitions (M&A) are generally known for bringing economic growth and opportunity, people are beginning to realize that the process also brings serious cybersecurity risks. For example, along with the acquired company’s valuable assets, buyers also inherit all previous and current vulnerabilities and breach history. But there are also risks that exist for buyers before they sign on the dotted line or take action to merge technologies, processes and resources – during the M&A process, an organization is vulnerable from the moment they set out to do online research.

If done without caution, just the act of online fact-finding and information gathering on target companies poses risks to potential buyers. Aside from the potential security risks that may be introduced, the acquiring company faces the risk of tipping its hat or showing its hand. If the target or the acquisition learns of the buyer’s intent and desires, it may help their negotiating position. The target could open up parallel discussions, initiate their own research and monitoring activities, and take other steps that may result in a higher cost of acquisition or even derail the opportunity. The acquisition process requires substantial time and energy that could end up being wasted if the process of preliminary due diligence is not protected. I began working on internet anonymity tools in 1992, and since then I have gained a unique and detailed understanding of the different approaches organizations can utilize to protect their anonymity while searching and investigating in the open internet. When taking the first exploratory steps of the M&A process, these web searches could very well expose M&A intentions.

M&A Cyber RisksM&A research leaves a very clear fingerprint. Visits to the target come from unusual sources like senior management, the company’s law firm, specialist consultants, and investment banks. The visits do not follow typical customer patterns, focusing on the management, public financials, and technical details. A company can easily detect this research through monitoring their own web logs. By obfuscating where searches are coming from and breaking the inquiries up across multiple companies, intentions will not look like a coordinated effort of due diligence. Rather, it will appear that 100 companies or individuals are each grabbing different tidbits of information from the acquisition target’s website. The activity will mimic normal web visits versus a coordinated due diligence effort.

Obfuscating the origin and identity of a search is not easy, there are several different ways to be tracked or identified online. As I discussed in a previous SecurityWeek article, the moment a search is initiated on the public internet, all interested parties can recognize and react to actions, behaviors and patterns. They can discern who initiated the search, from where it is being launched, and even the source of employment. This can tip them to promote false information or simply discover and react to intentions and likely next steps. Each browser has a unique fingerprint made up of all the software and plugin versions, configurations, fonts, and characteristics of the source computer. Together, this data is usually unique for each visitor to a given website. Even when obfuscating the IP address and all supercookies, interested parties can still learn the identify using the browser fingerprint.

A counter to this tactic would be to use a browser fingerprint that is shared by many. The most common browser fingerprint is a freshly installed operating system. From there, they diverge quickly. And by using a VM, the source system will always appear as operating a newly installed operating system. Managing these identifiers online will help investigative queries blend in with general internet users and will enable research to be conducted without drawing undo attention or tipping the hat of M&A intentions or interests.

RelatedManaging Security and Network Implications of Mergers and Acquisitions

Written By

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

Cybersecurity-related risk is a top concern, so boards need to know they have the proper oversight in place. Even as first-timers, successful CISOs make...

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

M&A Tracker

The SecurityWeek editorial team huddled over the holidays to look back at the stories that shaped 2022 and, more importantly, to stare into a...

Risk Management

A threat-based approach to security often focuses on a checklist to meet industry requirements but overlooked the key component of security: reducing risk.

Management & Strategy

Microsoft making a multiyear, multibillion dollar investment in the artificial intelligence startup OpenAI, maker of ChatGPT and other tools.