Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

1/8/2019
10:30 AM
Matt Rose
Matt Rose
Commentary
Connect Directly
LinkedIn
RSS
E-Mail vvv
50%
50%

Security Matters When It Comes to Mergers & Acquisitions

The recently disclosed Marriott breach exposed a frequently ignored issue in the M&A process.

Software security issues aren't going away anytime soon, as proven by the recently disclosed colossal breach at Marriott. Sure, we could rehash the typical post-mortem responses such as securing the software development life cycle, shifting left, DevSecOps, or other industry buzzwords associated with today's security concerns. But in regard to Marriott's recent breach, which affected over 500 million customers, it's critical to look at a different aspect of security: the software exposure before and after mergers and acquisitions (M&A).

M&As are a common business practice and have created some of the largest, most successful companies in the world. While the M&A process is typically thought of as a boardroom issue, we must consider more than the financial activity that looks to increase revenues and customer base. Unfortunately, vetting the associated security risks is often neglected throughout the process. This shows the need for transparency and increased security awareness between IT/security professionals and the C-suite.

M&A's Security Risk
A report by West Monroe surveyed 100 senior global executives in early 2017 and found that cybersecurity continues to be a major issue in relation to M&A, both in due diligence and after the deal closes. Fifty-two percent reported discovering a cybersecurity problem after closing the deal. It was also found that security was the No. 2 reason M&A deals were abandoned, and the second most common reason buyers regretted closing a deal. When evaluating the entire M&A process, respondents shared that the top three reasons deals often fail are security concerns (23%), financial and tax issues (23%), and problems with compliance (18%). While these are relatively low, the most anxiety appears to come after the deal is done. The study found that two in five respondents said problems during post-merger integration (41%) was their main worry when thinking about issues related to security.

Based on Personal Experience
From my own experience in M&A, before I was at Checkmarx, I was responsible for vetting companies being acquired by other clients. In one case, as part of the recommended analysis, we thoroughly scanned a company's software and found that it was full of vulnerabilities. To our dismay, we discovered a backdoor into the entire system. As a result, the entire process came to a halt and the deal fell apart. The security risk was too great. In a surprising turn of events, the acquiree attempted to take legal action against the security company I was with, claiming that we blocked the M&A process. In my opinion, while we may have missed out on financial gains from the acquisition, we saved our client from a potentially costlier security compromise similar to Marriott's.

Applying What We've Learned to Marriott
This same concept can be applied to Marriot's recent breach. In 2016, Marriott International acquired Starwood Hotels & Resorts Worldwide, creating the world's largest hotel company. We can assume that for such a large business deal, there was a very long investigation into the financials, operating practices, market penetration, and other variables necessary to finalize such a large acquisition. But was security considered? Starwood reported an unrelated malware attack on their point-of-sale systems just two weeks after the original deal was signed. Had Marriott investigated and vetted Starwood's software security prior to the acquisition, this particular vulnerability might have been found and resolved — or at the very least, triggered a major red flag around the security of Starwood's software. Had this been elevated to executives facilitating the M&A, the risk could have been properly evaluated, ultimately delaying or canceling the deal.

Fast forward to 2018, and the recently reported breach was in Starwood's system, not Marriott's. Unfortunately, as the parent company, Marriott is still responsible in terms of damage control. Marriott could have the best security program in the world, but because it owns Starwood, there will be significant financial and reputation damage to the entire brand. Was Marriott so focused on the financial and business aspects of the acquisition of Starwood that it was willing to accept the risk? Did Starwood know about this issue but did nothing because it knew it was going to be acquired and didn't want to spend the money to fix the problem? Or did neither Marriott nor Starwood know about the issue? No matter what the truth is, the biggest losers here are the customers who have had their personally identifiable information (PII) compromised.

The Future of Security and M&A
The major takeaway is that organizations must have a vetting process for the security of the companies with whom they are acquiring or merging. This process is just as important as due diligence around financials or expanded brand presence. At a minimum, during the M&A process, companies should bring in a security team — whether it be a CISO, director of security, or other — to build out a repeatable security program, evaluate network security policies, and consider important factors such as the effectiveness of firewalls, endpoint protection, and other security tools. The acquirers should ask themselves, what are the homegrown, internally developed products, and how can those cause risk? Unfortunately, today, most acquirers simply turn their heads away from the problem because the profit margins seem greater than the risk.

The acquiring company now must do damage control on all fronts, even if it was something it didn't do. The Marriott breach may have been avoided if proper security policies and or practices around vetting potential risk were in place. Today, any company that processes PII data — regardless of the industry it is in — should consider itself a technology company, and, therefore, security should be at the forefront of boardroom discussions, not just during M&A but throughout the course of business. 

Related Content:

Erez Yalon heads the security research group at Checkmarx. With vast defender and attacker experience and as an independent security researcher, he brings invaluable knowledge and skills to the table. Erez is responsible for maintaining Checkmarx's top-notch vulnerability ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Milos Rex
50%
50%
Milos Rex,
User Rank: Apprentice
4/19/2019 | 3:18:04 PM
Compliments!
Interestingly enough, there is not much content about security matters related to mergers and acquisitions online, and yet it is one of the most important things to pay attention to. The only other place where I found articles that cover key questions related to M&A is dealroom.net Thank you very much for this article!
Zero-Factor Authentication: Owning Our Data
Nick Selby, Chief Security Officer at Paxos Trust Company,  2/19/2020
44% of Security Threats Start in the Cloud
Kelly Sheridan, Staff Editor, Dark Reading,  2/19/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-7914
PUBLISHED: 2020-02-21
btif/src/btif_dm.c in Android before 5.1 does not properly enforce the temporary nature of a Bluetooth pairing, which allows user-assisted remote attackers to bypass intended access restrictions via crafted Bluetooth packets after the tapping of a crafted NFC tag.
CVE-2016-4606
PUBLISHED: 2020-02-21
Curl before 7.49.1 in Apple OS X before macOS Sierra prior to 10.12 allows remote or local attackers to execute arbitrary code, gain sensitive information, cause denial-of-service conditions, bypass security restrictions, and perform unauthorized actions. This may aid in other attacks.
CVE-2020-5243
PUBLISHED: 2020-02-21
uap-core before 0.7.3 is vulnerable to a denial of service attack when processing crafted User-Agent strings. Some regexes are vulnerable to regular expression denial of service (REDoS) due to overlapping capture groups. This allows remote attackers to overload a server by setting the User-Agent hea...
CVE-2019-14688
PUBLISHED: 2020-02-20
Trend Micro has repackaged installers for several Trend Micro products that were found to utilize a version of an install package that had a DLL hijack vulnerability that could be exploited during a new product installation. The vulnerability was found to ONLY be exploitable during an initial produc...
CVE-2019-19694
PUBLISHED: 2020-02-20
The Trend Micro Security 2019 (15.0.0.1163 and below) consumer family of products is vulnerable to a denial of service (DoS) attack in which a malicious actor could manipulate a key file at a certain time during the system startup process to disable the product's malware protection functions or the ...