Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/11/2019
10:00 AM
Julie Cullivan
Julie Cullivan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Security Processes You Shouldn't Overlook During M&A

Security needs to be a central element of due diligence if a merger or acquisition is to succeed

There's a lot more attention being put on cybersecurity during the M&A process, and for good reason. The Marriott-Starwood merger is a prime example, shining the spotlight on what can happen if you accidently acquire a data breach. As part of the merger, Marriott acquired many new hotel brands but also unwittingly inherited a large-scale breach that affected approximately 500 million customers resulting from a hack of Starwood's customer reservation database prior to the acquisition deal.

According to a recent Forescout survey of IT and business decision-makers, 65% said they regretted making an acquisition because of a cybersecurity issue. But cybersecurity during M&A isn't just a point-in-time exercise. It should start with due diligence — but even more importantly, cybersecurity should be a key consideration in the entire integration process. That's the real heavy lifting when it comes to cybersecurity and M&A. 

Post-acquisition, there's lots of pressure on the CIO and other executives to get the integration done as quickly as possible so the company can realize the benefits of the deal. While IT sometimes gets a bad reputation for moving slowly during this process, in reality there are a lot of factors and complexity that go into making sure the integration is done smoothly and securely with minimal business disruption. 

Weaving cybersecurity throughout due diligence and then integration planning is a way to set reasonable expectations on the priorities and timing. With that in mind, here are five processes to address before, during, and after a merger or acquisition. Being able to explain "the why" behind each of these priorities and time frames in a way the business teams can understand is critical in each step.

1. Cybersecurity Due Diligence Is Key 
Cybersecurity due diligence should start before any deal is made. You're looking for cybersecurity issues that could rule out a deal or affect the sale price. For instance, Verizon knocked $350 million off of its purchase price for Yahoo after two data breaches were discovered. 

Our same survey revealed 73% said the discovery of an unknown data breach would be a deal breaker for an acquisition. To discover an unknown breach, you could engage a third-party auditor to conduct an internal cybersecurity assessment or do evaluations like a device audit. 

If it's a product or services company acquisition, I would also put particular emphasis on evaluating the product or service itself to make sure the risk posture is understood and acceptable — you first and foremost want to be sure that the very reason you are acquiring the company does not create risk to your customers or your reputation. For instance, when Marriott was in the process of merging with Starwood, perhaps further due diligence could have been run on Starwood's customer database to ensure that all guests' personal information and preferences were stored securely. 

2. Basic Integration for Day 1 Collaboration
Then, once the deal is closed, you get to the second and larger piece of the M&A process: the integration. Some of these tasks can move quickly thanks to the cloud, with tools like Office 365, Zoom, and Box. Getting systems like these integrated right from the start takes a lot of the pressure off the CIO because new team members are able to start collaborating and doing simple tasks like scheduling meetings and sending emails with their new colleagues right away. 

3. Comprehensive Integration Across Infrastructure, Security, Access
The deeper, more strategic work comes after that and this is really a joint effort with the business. This is the time when you have to take a step back and focus on the integration from an infrastructure, security and access perspective in order to ensure alignment across the organizations and to identify hidden sources of risk.

You can't rush this without potentially introducing new risk. IT and business decision-makers identified the top areas of risk during integration as human error and configuration weakness (51%), connected devices (50%), and data management and storage systems (49%), according to Forescout's survey. You have to go system by system and connect them, making sure data is kept secure and each person has the right access.

Although the technical integration is rarely as fast as the business would like, it is the easier piece of the process. More often, it's things like systems and data access, new work processes, data migration, business impact (such as release cycles and end of quarter), and change management that will slow progress. Let's face it, there is never a good time to do these things. 

4. Cultural Integration
You also have to factor in the cultures of the two organizations. One organization might have a more mature security posture than the other. Or they may be very married to the way they do things and don't want to change. In other cases, you may have to integrate very different business models or capabilities into a single system. But in any situation, you have to bring everyone to the table and work together as one team.  

5. Rinse, Repeat, and Refine
The important thing to remember in all of this is that both the threat landscape and your IT environment and systems are always changing and evolving. While it's important to incorporate cybersecurity into due diligence and the initial integration, it's a process that you will have to continue throughout the full lifetime of the organization. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's story: "4 Ways to Soothe a Stressed-Out Incident Response Team"

With more than two decades of experience driving global operational capabilities across some of the world's largest cybersecurity and IT brands, Julie leads the people, business, and technology operations at Forescout. Julie has extensive operational and technical leadership ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Stop Defending Everything
Kevin Kurzawa, Senior Information Security Auditor,  2/12/2020
Small Business Security: 5 Tips on How and Where to Start
Mike Puglia, Chief Strategy Officer at Kaseya,  2/13/2020
Architectural Analysis IDs 78 Specific Risks in Machine-Learning Systems
Jai Vijayan, Contributing Writer,  2/13/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-1842
PUBLISHED: 2020-02-18
Huawei HEGE-560 version 1.0.1.20(SP2); OSCA-550 and OSCA-550A version 1.0.0.71(SP1); and OSCA-550AX and OSCA-550X version 1.0.0.71(SP2) have an insufficient authentication vulnerability. An attacker can access the device physically and perform specific operations to exploit this vulnerability. Succe...
CVE-2020-8010
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains an improper ACL handling vulnerability in the robot (controller) component. A remote attacker can execute commands, read from, or write to the target system.
CVE-2020-8011
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a null pointer dereference vulnerability in the robot (controller) component. A remote attacker can crash the Controller service.
CVE-2020-8012
PUBLISHED: 2020-02-18
CA Unified Infrastructure Management (Nimsoft/UIM) 9.20 and below contains a buffer overflow vulnerability in the robot (controller) component. A remote attacker can execute arbitrary code.
CVE-2020-1791
PUBLISHED: 2020-02-18
HUAWEI Mate 20 smartphones with versions earlier than 10.0.0.185(C00E74R3P8) have an improper authorization vulnerability. The system has a logic judging error under certain scenario, successful exploit could allow the attacker to switch to third desktop after a series of operation in ADB mode.