Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

checkLoop 1
11/11/2019
10:00 AM
Julie Cullivan
Julie Cullivan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Security Processes You Shouldn't Overlook During M&A

Security needs to be a central element of due diligence if a merger or acquisition is to succeed

There's a lot more attention being put on cybersecurity during the M&A process, and for good reason. The Marriott-Starwood merger is a prime example, shining the spotlight on what can happen if you accidently acquire a data breach. As part of the merger, Marriott acquired many new hotel brands but also unwittingly inherited a large-scale breach that affected approximately 500 million customers resulting from a hack of Starwood's customer reservation database prior to the acquisition deal.

According to a recent Forescout survey of IT and business decision-makers, 65% said they regretted making an acquisition because of a cybersecurity issue. But cybersecurity during M&A isn't just a point-in-time exercise. It should start with due diligence — but even more importantly, cybersecurity should be a key consideration in the entire integration process. That's the real heavy lifting when it comes to cybersecurity and M&A. 

Post-acquisition, there's lots of pressure on the CIO and other executives to get the integration done as quickly as possible so the company can realize the benefits of the deal. While IT sometimes gets a bad reputation for moving slowly during this process, in reality there are a lot of factors and complexity that go into making sure the integration is done smoothly and securely with minimal business disruption. 

Weaving cybersecurity throughout due diligence and then integration planning is a way to set reasonable expectations on the priorities and timing. With that in mind, here are five processes to address before, during, and after a merger or acquisition. Being able to explain "the why" behind each of these priorities and time frames in a way the business teams can understand is critical in each step.

1. Cybersecurity Due Diligence Is Key 
Cybersecurity due diligence should start before any deal is made. You're looking for cybersecurity issues that could rule out a deal or affect the sale price. For instance, Verizon knocked $350 million off of its purchase price for Yahoo after two data breaches were discovered. 

Our same survey revealed 73% said the discovery of an unknown data breach would be a deal breaker for an acquisition. To discover an unknown breach, you could engage a third-party auditor to conduct an internal cybersecurity assessment or do evaluations like a device audit. 

If it's a product or services company acquisition, I would also put particular emphasis on evaluating the product or service itself to make sure the risk posture is understood and acceptable — you first and foremost want to be sure that the very reason you are acquiring the company does not create risk to your customers or your reputation. For instance, when Marriott was in the process of merging with Starwood, perhaps further due diligence could have been run on Starwood's customer database to ensure that all guests' personal information and preferences were stored securely. 

2. Basic Integration for Day 1 Collaboration
Then, once the deal is closed, you get to the second and larger piece of the M&A process: the integration. Some of these tasks can move quickly thanks to the cloud, with tools like Office 365, Zoom, and Box. Getting systems like these integrated right from the start takes a lot of the pressure off the CIO because new team members are able to start collaborating and doing simple tasks like scheduling meetings and sending emails with their new colleagues right away. 

3. Comprehensive Integration Across Infrastructure, Security, Access
The deeper, more strategic work comes after that and this is really a joint effort with the business. This is the time when you have to take a step back and focus on the integration from an infrastructure, security and access perspective in order to ensure alignment across the organizations and to identify hidden sources of risk.

You can't rush this without potentially introducing new risk. IT and business decision-makers identified the top areas of risk during integration as human error and configuration weakness (51%), connected devices (50%), and data management and storage systems (49%), according to Forescout's survey. You have to go system by system and connect them, making sure data is kept secure and each person has the right access.

Although the technical integration is rarely as fast as the business would like, it is the easier piece of the process. More often, it's things like systems and data access, new work processes, data migration, business impact (such as release cycles and end of quarter), and change management that will slow progress. Let's face it, there is never a good time to do these things. 

4. Cultural Integration
You also have to factor in the cultures of the two organizations. One organization might have a more mature security posture than the other. Or they may be very married to the way they do things and don't want to change. In other cases, you may have to integrate very different business models or capabilities into a single system. But in any situation, you have to bring everyone to the table and work together as one team.  

5. Rinse, Repeat, and Refine
The important thing to remember in all of this is that both the threat landscape and your IT environment and systems are always changing and evolving. While it's important to incorporate cybersecurity into due diligence and the initial integration, it's a process that you will have to continue throughout the full lifetime of the organization. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's story: "4 Ways to Soothe a Stressed-Out Incident Response Team"

With more than two decades of experience driving global operational capabilities across some of the world's largest cybersecurity and IT brands, Julie leads the people, business, and technology operations at Forescout. Julie has extensive operational and technical leadership ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-19777
PUBLISHED: 2019-12-13
stb_image.h (aka the stb image loader) 2.23, as used in libsixel and other products, has a heap-based buffer over-read in stbi__load_main.
CVE-2019-19778
PUBLISHED: 2019-12-13
An issue was discovered in libsixel 1.8.2. There is a heap-based buffer over-read in the function load_sixel at loader.c.
CVE-2019-16777
PUBLISHED: 2019-12-13
Versions of the npm CLI prior to 6.13.4 are vulnerable to an Arbitrary File Overwrite. It fails to prevent existing globally-installed binaries to be overwritten by other package installations. For example, if a package was installed globally and created a serve binary, any subsequent installs of pa...
CVE-2019-16775
PUBLISHED: 2019-12-13
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It is possible for packages to create symlinks to files outside of thenode_modules folder through the bin field upon installation. A properly constructed entry in the package.json bin field would allow a package publi...
CVE-2019-16776
PUBLISHED: 2019-12-13
Versions of the npm CLI prior to 6.13.3 are vulnerable to an Arbitrary File Write. It fails to prevent access to folders outside of the intended node_modules folder through the bin field. A properly constructed entry in the package.json bin field would allow a package publisher to modify and/or gain...
checkLoop 2