Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

M&A Tracker

Why Evaluating Cybersecurity Prior to Mergers and Acquisitions is Necessary

Timely response and proactive investigation can help lessen the potential negative impact poor cyber hygiene can have on a business acquisition

Timely response and proactive investigation can help lessen the potential negative impact poor cyber hygiene can have on a business acquisition

Given the rise in third party breaches, including successful wide-scale attacks against major technology providers such as Solarwinds and Microsoft, Third Party Risk Management (TPRM) is becoming a critical concern for security teams responsible for the secure integration of third party systems and infrastructure during mergers and acquisitions. 

M&A Process Changes

The due diligence process is no longer limited to the traditional concerns around finance, contracts, liabilities, information technology, and key man risk. Cybersecurity is now a major focus during the M&A process. 

With limited review time to evaluate security risks, firms engaged in mergers and acquisitions must hone in on specific areas of cybersecurity and dangers including “outside the firewall” if they are to successfully identify and mitigate risks associated with their investments.

Here are 6 focus areas M&A firms should evaluate in their due diligence process:

1. Security Engineering and Operations Management: Work that requires a dedicated security team is too often managed by IT. Many organizations have only a single IT manager with a small cross functional team. In the best cases, companies have an accompanying MSSP or MDR vendor, but that still doesn’t guarantee the level of security necessary to mitigate investment risks. 

Maturity levels vary between organizations, but a moderate sized company lacking contemporary security controls, such as identity and access management (IAM) or vulnerability management systems, tends to be a red flag that larger issues may exist that investors and firms should be aware of. It is of particular concern when these organizations are responsible for safeguarding PCI, HIPAA, or maintaining other regulatory compliance.

Advertisement. Scroll to continue reading.

2. Vulnerability Management: Many organizations still lack an effective vulnerability management capability and seemingly struggle with asset inventory, configuration and release management, and timely patch management. The absence of these fundamental practices creates an expanded attack surface and one that is increasingly leveraged by advanced threat actors and should be viewed with caution. Learning what vulnerabilities exist before you acquire can help you identify the type of investment necessary in bolstering protections should a purchase go through.

3. Endpoint Security Management:  An effective endpoint security management solution must match the sophistication of threats targeting a business. End user systems and devices are a primary access vector utilized by attackers for initial access into corporate networks. Insufficient visibility and security controls at the endpoint can ultimately lead to widespread internal compromise of critical systems and adversary access to sensitive data. Remote and dispersed workforces increase the threat of compromise via endpoint systems and devices. 

4. Network and Data Access Management: Effective network and data access management is a challenge for companies small and large, increasingly so with geographic expansion and today’s remote workforces. Legacy network architectures still plague many organizations. Coupled with the lack of reliable segmentation and consistent access controls restricting access to network shares and repositories, these companies needlessly expose themselves to increased risk. Sensitive data, systems, and infrastructure create an expanded internal attack surface.

5. Incident Response Management: Organizations often lack incident response management capabilities and struggle with integrating emerging technologies, enhanced monitoring, and the establishment of playbooks and processes. An organization’s maturity and experience with incident response management often serves as a good litmus test for the general security posture and its ability to respond to current and future threats.

6. Adversary Emulation: Adversary emulation assessments and red teams are great tools for testing security controls and evaluating existing threat detection capabilities. Due to resource constraints, small and medium sized businesses tend to rely on external vendors with inconsistent results. Those same resource constraints translate into undone, incomplete, or sporadic reassessments,  which leaves mitigation and remediation findings on the paper they were written on and no further.

While cyber due diligence has yet to become commonplace in M&A transactions, the consequences of failing to identify risks and active campaigns can have costly implications. You can do your part in mitigating risks by incorporating these key steps or by partnering with an organization that can help you understand the breadth, depth, and complexity of the challenges you are about to adopt. Timely response and proactive investigation can help lessen the potential negative impact poor cyber hygiene can have on your new acquisition.

RelatedYahoo Slashes Price of Verizon Deal $350 Million After Data Breaches

Written By

Landon Winkelvoss is Co-founder and VP of Security Strategy at Nisos.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

CISO Strategy

SecurityWeek spoke with more than 300 cybersecurity experts to see what is bubbling beneath the surface, and examine how those evolving threats will present...

CISO Conversations

Joanna Burkey, CISO at HP, and Kevin Cross, CISO at Dell, discuss how the role of a CISO is different for a multinational corporation...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

CISO Conversations

In this issue of CISO Conversations we talk to two CISOs about solving the CISO/CIO conflict by combining the roles under one person.

CISO Strategy

Security professionals understand the need for resilience in their company’s security posture, but often fail to build their own psychological resilience to stress.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...