Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

1/8/2019
10:30 AM
Matt Rose
Matt Rose
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Matters When It Comes to Mergers & Acquisitions

The recently disclosed Marriott breach exposed a frequently ignored issue in the M&A process.

Software security issues aren't going away anytime soon, as proven by the recently disclosed colossal breach at Marriott. Sure, we could rehash the typical post-mortem responses such as securing the software development life cycle, shifting left, DevSecOps, or other industry buzzwords associated with today's security concerns. But in regard to Marriott's recent breach, which affected over 500 million customers, it's critical to look at a different aspect of security: the software exposure before and after mergers and acquisitions (M&A).

M&As are a common business practice and have created some of the largest, most successful companies in the world. While the M&A process is typically thought of as a boardroom issue, we must consider more than the financial activity that looks to increase revenues and customer base. Unfortunately, vetting the associated security risks is often neglected throughout the process. This shows the need for transparency and increased security awareness between IT/security professionals and the C-suite.

M&A's Security Risk
A report by West Monroe surveyed 100 senior global executives in early 2017 and found that cybersecurity continues to be a major issue in relation to M&A, both in due diligence and after the deal closes. Fifty-two percent reported discovering a cybersecurity problem after closing the deal. It was also found that security was the No. 2 reason M&A deals were abandoned, and the second most common reason buyers regretted closing a deal. When evaluating the entire M&A process, respondents shared that the top three reasons deals often fail are security concerns (23%), financial and tax issues (23%), and problems with compliance (18%). While these are relatively low, the most anxiety appears to come after the deal is done. The study found that two in five respondents said problems during post-merger integration (41%) was their main worry when thinking about issues related to security.

Based on Personal Experience
From my own experience in M&A, before I was at Checkmarx, I was responsible for vetting companies being acquired by other clients. In one case, as part of the recommended analysis, we thoroughly scanned a company's software and found that it was full of vulnerabilities. To our dismay, we discovered a backdoor into the entire system. As a result, the entire process came to a halt and the deal fell apart. The security risk was too great. In a surprising turn of events, the acquiree attempted to take legal action against the security company I was with, claiming that we blocked the M&A process. In my opinion, while we may have missed out on financial gains from the acquisition, we saved our client from a potentially costlier security compromise similar to Marriott's.

Applying What We've Learned to Marriott
This same concept can be applied to Marriot's recent breach. In 2016, Marriott International acquired Starwood Hotels & Resorts Worldwide, creating the world's largest hotel company. We can assume that for such a large business deal, there was a very long investigation into the financials, operating practices, market penetration, and other variables necessary to finalize such a large acquisition. But was security considered? Starwood reported an unrelated malware attack on their point-of-sale systems just two weeks after the original deal was signed. Had Marriott investigated and vetted Starwood's software security prior to the acquisition, this particular vulnerability might have been found and resolved — or at the very least, triggered a major red flag around the security of Starwood's software. Had this been elevated to executives facilitating the M&A, the risk could have been properly evaluated, ultimately delaying or canceling the deal.

Fast forward to 2018, and the recently reported breach was in Starwood's system, not Marriott's. Unfortunately, as the parent company, Marriott is still responsible in terms of damage control. Marriott could have the best security program in the world, but because it owns Starwood, there will be significant financial and reputation damage to the entire brand. Was Marriott so focused on the financial and business aspects of the acquisition of Starwood that it was willing to accept the risk? Did Starwood know about this issue but did nothing because it knew it was going to be acquired and didn't want to spend the money to fix the problem? Or did neither Marriott nor Starwood know about the issue? No matter what the truth is, the biggest losers here are the customers who have had their personally identifiable information (PII) compromised.

The Future of Security and M&A
The major takeaway is that organizations must have a vetting process for the security of the companies with whom they are acquiring or merging. This process is just as important as due diligence around financials or expanded brand presence. At a minimum, during the M&A process, companies should bring in a security team — whether it be a CISO, director of security, or other — to build out a repeatable security program, evaluate network security policies, and consider important factors such as the effectiveness of firewalls, endpoint protection, and other security tools. The acquirers should ask themselves, what are the homegrown, internally developed products, and how can those cause risk? Unfortunately, today, most acquirers simply turn their heads away from the problem because the profit margins seem greater than the risk.

The acquiring company now must do damage control on all fronts, even if it was something it didn't do. The Marriott breach may have been avoided if proper security policies and or practices around vetting potential risk were in place. Today, any company that processes PII data — regardless of the industry it is in — should consider itself a technology company, and, therefore, security should be at the forefront of boardroom discussions, not just during M&A but throughout the course of business. 

Related Content:

Matt has over 18 years of software development, sales, engineering management and consulting experience. Matt has helped some of the largest organizations in the world in a variety of industries, regions and technical environments implement secure software development life ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Milos Rex
50%
50%
Milos Rex,
User Rank: Apprentice
4/19/2019 | 3:18:04 PM
Compliments!
Interestingly enough, there is not much content about security matters related to mergers and acquisitions online, and yet it is one of the most important things to pay attention to. The only other place where I found articles that cover key questions related to M&A is dealroom.net Thank you very much for this article!
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-23381
PUBLISHED: 2021-04-18
This affects all versions of package killing. If attacker-controlled user input is given, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23374
PUBLISHED: 2021-04-18
This affects all versions of package ps-visitor. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23375
PUBLISHED: 2021-04-18
This affects all versions of package psnode. If attacker-controlled user input is given to the kill function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23376
PUBLISHED: 2021-04-18
This affects all versions of package ffmpegdotjs. If attacker-controlled user input is given to the trimvideo function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.
CVE-2021-23377
PUBLISHED: 2021-04-18
This affects all versions of package onion-oled-js. If attacker-controlled user input is given to the scroll function, it is possible for an attacker to execute arbitrary commands. This is due to use of the child_process exec function without input sanitization.