Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/11/2019
10:00 AM
Julie Cullivan
Julie Cullivan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Security Processes You Shouldn't Overlook During M&A

Security needs to be a central element of due diligence if a merger or acquisition is to succeed

There's a lot more attention being put on cybersecurity during the M&A process, and for good reason. The Marriott-Starwood merger is a prime example, shining the spotlight on what can happen if you accidently acquire a data breach. As part of the merger, Marriott acquired many new hotel brands but also unwittingly inherited a large-scale breach that affected approximately 500 million customers resulting from a hack of Starwood's customer reservation database prior to the acquisition deal.

According to a recent Forescout survey of IT and business decision-makers, 65% said they regretted making an acquisition because of a cybersecurity issue. But cybersecurity during M&A isn't just a point-in-time exercise. It should start with due diligence — but even more importantly, cybersecurity should be a key consideration in the entire integration process. That's the real heavy lifting when it comes to cybersecurity and M&A. 

Post-acquisition, there's lots of pressure on the CIO and other executives to get the integration done as quickly as possible so the company can realize the benefits of the deal. While IT sometimes gets a bad reputation for moving slowly during this process, in reality there are a lot of factors and complexity that go into making sure the integration is done smoothly and securely with minimal business disruption. 

Weaving cybersecurity throughout due diligence and then integration planning is a way to set reasonable expectations on the priorities and timing. With that in mind, here are five processes to address before, during, and after a merger or acquisition. Being able to explain "the why" behind each of these priorities and time frames in a way the business teams can understand is critical in each step.

1. Cybersecurity Due Diligence Is Key 
Cybersecurity due diligence should start before any deal is made. You're looking for cybersecurity issues that could rule out a deal or affect the sale price. For instance, Verizon knocked $350 million off of its purchase price for Yahoo after two data breaches were discovered. 

Our same survey revealed 73% said the discovery of an unknown data breach would be a deal breaker for an acquisition. To discover an unknown breach, you could engage a third-party auditor to conduct an internal cybersecurity assessment or do evaluations like a device audit. 

If it's a product or services company acquisition, I would also put particular emphasis on evaluating the product or service itself to make sure the risk posture is understood and acceptable — you first and foremost want to be sure that the very reason you are acquiring the company does not create risk to your customers or your reputation. For instance, when Marriott was in the process of merging with Starwood, perhaps further due diligence could have been run on Starwood's customer database to ensure that all guests' personal information and preferences were stored securely. 

2. Basic Integration for Day 1 Collaboration
Then, once the deal is closed, you get to the second and larger piece of the M&A process: the integration. Some of these tasks can move quickly thanks to the cloud, with tools like Office 365, Zoom, and Box. Getting systems like these integrated right from the start takes a lot of the pressure off the CIO because new team members are able to start collaborating and doing simple tasks like scheduling meetings and sending emails with their new colleagues right away. 

3. Comprehensive Integration Across Infrastructure, Security, Access
The deeper, more strategic work comes after that and this is really a joint effort with the business. This is the time when you have to take a step back and focus on the integration from an infrastructure, security and access perspective in order to ensure alignment across the organizations and to identify hidden sources of risk.

You can't rush this without potentially introducing new risk. IT and business decision-makers identified the top areas of risk during integration as human error and configuration weakness (51%), connected devices (50%), and data management and storage systems (49%), according to Forescout's survey. You have to go system by system and connect them, making sure data is kept secure and each person has the right access.

Although the technical integration is rarely as fast as the business would like, it is the easier piece of the process. More often, it's things like systems and data access, new work processes, data migration, business impact (such as release cycles and end of quarter), and change management that will slow progress. Let's face it, there is never a good time to do these things. 

4. Cultural Integration
You also have to factor in the cultures of the two organizations. One organization might have a more mature security posture than the other. Or they may be very married to the way they do things and don't want to change. In other cases, you may have to integrate very different business models or capabilities into a single system. But in any situation, you have to bring everyone to the table and work together as one team.  

5. Rinse, Repeat, and Refine
The important thing to remember in all of this is that both the threat landscape and your IT environment and systems are always changing and evolving. While it's important to incorporate cybersecurity into due diligence and the initial integration, it's a process that you will have to continue throughout the full lifetime of the organization. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's story: "4 Ways to Soothe a Stressed-Out Incident Response Team"

With more than two decades of experience driving global operational capabilities across some of the world's largest cybersecurity and IT brands, Julie leads the people, business, and technology operations at Forescout. Julie has extensive operational and technical leadership ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/6/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-5595
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a buffer overflow vulnerability, which may allow a remote attacker to stop the network functions of the products or execute...
CVE-2020-5596
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) does not properly manage sessions, which may allow a remote attacker to stop the network functions of the products or execute a mali...
CVE-2020-5597
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains a null pointer dereference vulnerability, which may allow a remote attacker to stop the network functions of the products o...
CVE-2020-5598
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper access control vulnerability, which may which may allow a remote attacker tobypass access restriction and stop ...
CVE-2020-5599
PUBLISHED: 2020-07-07
TCP/IP function included in the firmware of Mitsubishi Electric GOT2000 series (CoreOS with version -Y and earlier installed in GT27 Model, GT25 Model, and GT23 Model) contains an improper neutralization of argument delimiters in a command ('Argument Injection') vulnerability, which may allow a remo...