Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

M&A Tracker

How to Plan Your M&A Security Strategy

Previously I explored why the importance of evaluating cybersecurity prior to mergers and acquisitions and the layers of security management that involves. However, the security strategy goes beyond having an understanding of what’s involved.

Previously I explored why the importance of evaluating cybersecurity prior to mergers and acquisitions and the layers of security management that involves. However, the security strategy goes beyond having an understanding of what’s involved. There also needs to be plans that are developed so that the merger/acquisition not only causes as little technology disruption as possible, but also prevents gaps in security.  

To formulate a plan, below are the bare minimums M&A teams should review during diligence, assuming your team has at least 1-3 weeks:

1. Existing Cyber Environment: The acquiring company needs to be hyper aware of the environment they are inheriting. Study network and system architectures, including known hardware and software systems, vulnerabilities, IT and OT asset inventory, patching schedule, digital asset management, cloud services, mobile policies, application vulnerabilities, data flows, and more. For example if an acquiring company is primarily a Windows environment using a colocation center and they are acquiring a Linux and open source environment in AWS, that’s a major integration effort to be planned.

2. Data Management and Protections: Understand all data handling measures, data privacy and security controls, including how the acquisition target stores, uses and disposes of customer data. Review any contractual obligations, especially over data and contractor use that the acquired company may have with another company.

3. Data Storage Compliance: Review the acquired company’s security program to verify that it meets regulatory requirements, current industry standards, and best practices in the industry.

4. Existing Evaluations: Consider the results of previous security audits and assessments, vulnerability scans, and penetration tests when formulating incident response plans and playbooks. Keep in mind the growth and size of the acquisition relative to industry and sensitivity of data. For instance, a health care records company using a MSSP or MDR should not be seeing a penetration testing company escalating privileges to domain administrator – where ransomware could be deployed – or gaining access to sensitive cloud storage for two weeks with no alerts. 

5. Gaps in Role Responsibilities: Understand the IT and security organization hierarchy and start thinking about ensuring the appropriate roles and responsibilities for the team. IT professionals will be expecting to understand where their careers fit into the new organization. Ensure they don’t become future insider threats who have the keys to the kingdom.

6. Current Risks and Threats: At the very minimum, conduct technical due diligence and validation. External threat hunting and cyber hygiene measures are great ways to validate consultative reviews and vulnerabilities, review for integration concerns, and ensure no active breach is present with commercially available external telemetry. If time allows, a compromise assessment is always the most holistic and complete approach to ensure no malicious network activity but often takes more than 2-3 weeks. 

Advertisement. Scroll to continue reading.

If red flags are present during the above steps, security teams should consider taking the following actions during diligence:

1. Conduct extensive internal and external threat hunting against the target of acquisition over a period of three to six months. 

2. Consider the use of an MDR or MSSP service for such monitoring if it’s more cost effective relative to your internal team’s resources and bandwidth. 

3. Conduct an aggressive and thorough penetration test of the corporate and production environments of the acquisition target, ensuring both security teams work to identify and remediate the issues.

While security teams often feel pressure to move forward even if negative findings are present, ineffective security approaches when integrating two separate organizations can lead to significant issues that could undercut the business value of the merger or acquisition. Security shouldn’t be a component of mergers and acquisitions, it should be part of the foundation. 

Written By

Landon Winkelvoss is Co-founder and VP of Security Strategy at Nisos.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybersecurity Funding

2022 Cybersecurity Year in Review: Top news headlines and trends that impacted the security ecosystem

Endpoint Security

Today, on January 10, 2023, Windows 7 Extended Security Updates (ESU) and Windows 8.1 have reached their end of support dates.

Funding/M&A

Thirty-five cybersecurity-related M&A deals were announced in February 2023

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

Forty-one cybersecurity-related M&A deals were announced in March 2023.

Funding/M&A

Forty cybersecurity-related M&A deals were announced in January 2023.