Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

1/8/2019
10:30 AM
Matt Rose
Matt Rose
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Matters When It Comes to Mergers & Acquisitions

The recently disclosed Marriott breach exposed a frequently ignored issue in the M&A process.

Software security issues aren't going away anytime soon, as proven by the recently disclosed colossal breach at Marriott. Sure, we could rehash the typical post-mortem responses such as securing the software development life cycle, shifting left, DevSecOps, or other industry buzzwords associated with today's security concerns. But in regard to Marriott's recent breach, which affected over 500 million customers, it's critical to look at a different aspect of security: the software exposure before and after mergers and acquisitions (M&A).

M&As are a common business practice and have created some of the largest, most successful companies in the world. While the M&A process is typically thought of as a boardroom issue, we must consider more than the financial activity that looks to increase revenues and customer base. Unfortunately, vetting the associated security risks is often neglected throughout the process. This shows the need for transparency and increased security awareness between IT/security professionals and the C-suite.

M&A's Security Risk
A report by West Monroe surveyed 100 senior global executives in early 2017 and found that cybersecurity continues to be a major issue in relation to M&A, both in due diligence and after the deal closes. Fifty-two percent reported discovering a cybersecurity problem after closing the deal. It was also found that security was the No. 2 reason M&A deals were abandoned, and the second most common reason buyers regretted closing a deal. When evaluating the entire M&A process, respondents shared that the top three reasons deals often fail are security concerns (23%), financial and tax issues (23%), and problems with compliance (18%). While these are relatively low, the most anxiety appears to come after the deal is done. The study found that two in five respondents said problems during post-merger integration (41%) was their main worry when thinking about issues related to security.

Based on Personal Experience
From my own experience in M&A, before I was at Checkmarx, I was responsible for vetting companies being acquired by other clients. In one case, as part of the recommended analysis, we thoroughly scanned a company's software and found that it was full of vulnerabilities. To our dismay, we discovered a backdoor into the entire system. As a result, the entire process came to a halt and the deal fell apart. The security risk was too great. In a surprising turn of events, the acquiree attempted to take legal action against the security company I was with, claiming that we blocked the M&A process. In my opinion, while we may have missed out on financial gains from the acquisition, we saved our client from a potentially costlier security compromise similar to Marriott's.

Applying What We've Learned to Marriott
This same concept can be applied to Marriot's recent breach. In 2016, Marriott International acquired Starwood Hotels & Resorts Worldwide, creating the world's largest hotel company. We can assume that for such a large business deal, there was a very long investigation into the financials, operating practices, market penetration, and other variables necessary to finalize such a large acquisition. But was security considered? Starwood reported an unrelated malware attack on their point-of-sale systems just two weeks after the original deal was signed. Had Marriott investigated and vetted Starwood's software security prior to the acquisition, this particular vulnerability might have been found and resolved — or at the very least, triggered a major red flag around the security of Starwood's software. Had this been elevated to executives facilitating the M&A, the risk could have been properly evaluated, ultimately delaying or canceling the deal.

Fast forward to 2018, and the recently reported breach was in Starwood's system, not Marriott's. Unfortunately, as the parent company, Marriott is still responsible in terms of damage control. Marriott could have the best security program in the world, but because it owns Starwood, there will be significant financial and reputation damage to the entire brand. Was Marriott so focused on the financial and business aspects of the acquisition of Starwood that it was willing to accept the risk? Did Starwood know about this issue but did nothing because it knew it was going to be acquired and didn't want to spend the money to fix the problem? Or did neither Marriott nor Starwood know about the issue? No matter what the truth is, the biggest losers here are the customers who have had their personally identifiable information (PII) compromised.

The Future of Security and M&A
The major takeaway is that organizations must have a vetting process for the security of the companies with whom they are acquiring or merging. This process is just as important as due diligence around financials or expanded brand presence. At a minimum, during the M&A process, companies should bring in a security team — whether it be a CISO, director of security, or other — to build out a repeatable security program, evaluate network security policies, and consider important factors such as the effectiveness of firewalls, endpoint protection, and other security tools. The acquirers should ask themselves, what are the homegrown, internally developed products, and how can those cause risk? Unfortunately, today, most acquirers simply turn their heads away from the problem because the profit margins seem greater than the risk.

The acquiring company now must do damage control on all fronts, even if it was something it didn't do. The Marriott breach may have been avoided if proper security policies and or practices around vetting potential risk were in place. Today, any company that processes PII data — regardless of the industry it is in — should consider itself a technology company, and, therefore, security should be at the forefront of boardroom discussions, not just during M&A but throughout the course of business. 

Related Content:

Matt Rose has over 18 years of software development, sales engineering management, and consulting experience. During this time, Matt has helped some of the largest organizations in the world in a variety of industries, regions, and technical environments implement secure ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Milos Rex
50%
50%
Milos Rex,
User Rank: Apprentice
4/19/2019 | 3:18:04 PM
Compliments!
Interestingly enough, there is not much content about security matters related to mergers and acquisitions online, and yet it is one of the most important things to pay attention to. The only other place where I found articles that cover key questions related to M&A is dealroom.net Thank you very much for this article!
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...