How to Plan Your M&A Security Strategy

Previously I explored why the importance of evaluating cybersecurity prior to mergers and acquisitions and the layers of security management that involves. However, the security strategy goes beyond having an understanding of what’s involved. There also needs to be plans that are developed so that the merger/acquisition not only causes as little technology disruption as possible, but also prevents gaps in security.  

To formulate a plan, below are the bare minimums M&A teams should review during diligence, assuming your team has at least 1-3 weeks:

1. Existing Cyber Environment: The acquiring company needs to be hyper aware of the environment they are inheriting. Study network and system architectures, including known hardware and software systems, vulnerabilities, IT and OT asset inventory, patching schedule, digital asset management, cloud services, mobile policies, application vulnerabilities, data flows, and more. For example if an acquiring company is primarily a Windows environment using a colocation center and they are acquiring a Linux and open source environment in AWS, that’s a major integration effort to be planned.

2. Data Management and Protections: Understand all data handling measures, data privacy and security controls, including how the acquisition target stores, uses and disposes of customer data. Review any contractual obligations, especially over data and contractor use that the acquired company may have with another company.

3. Data Storage Compliance: Review the acquired company’s security program to verify that it meets regulatory requirements, current industry standards, and best practices in the industry.

4. Existing Evaluations: Consider the results of previous security audits and assessments, vulnerability scans, and penetration tests when formulating incident response plans and playbooks. Keep in mind the growth and size of the acquisition relative to industry and sensitivity of data. For instance, a health care records company using a MSSP or MDR should not be seeing a penetration testing company escalating privileges to domain administrator – where ransomware could be deployed – or gaining access to sensitive cloud storage for two weeks with no alerts. 

5. Gaps in Role Responsibilities: Understand the IT and security organization hierarchy and start thinking about ensuring the appropriate roles and responsibilities for the team. IT professionals will be expecting to understand where their careers fit into the new organization. Ensure they don’t become future insider threats who have the keys to the kingdom.

6. Current Risks and Threats: At the very minimum, conduct technical due diligence and validation. External threat hunting and cyber hygiene measures are great ways to validate consultative reviews and vulnerabilities, review for integration concerns, and ensure no active breach is present with commercially available external telemetry. If time allows, a compromise assessment is always the most holistic and complete approach to ensure no malicious network activity but often takes more than 2-3 weeks. 

If red flags are present during the above steps, security teams should consider taking the following actions during diligence:

1. Conduct extensive internal and external threat hunting against the target of acquisition over a period of three to six months. 

2. Consider the use of an MDR or MSSP service for such monitoring if it’s more cost effective relative to your internal team’s resources and bandwidth. 

3. Conduct an aggressive and thorough penetration test of the corporate and production environments of the acquisition target, ensuring both security teams work to identify and remediate the issues.

While security teams often feel pressure to move forward even if negative findings are present, ineffective security approaches when integrating two separate organizations can lead to significant issues that could undercut the business value of the merger or acquisition. Security shouldn’t be a component of mergers and acquisitions, it should be part of the foundation.