Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Threat Intelligence

11/11/2019
10:00 AM
Julie Cullivan
Julie Cullivan
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

5 Security Processes You Shouldn't Overlook During M&A

Security needs to be a central element of due diligence if a merger or acquisition is to succeed

There's a lot more attention being put on cybersecurity during the M&A process, and for good reason. The Marriott-Starwood merger is a prime example, shining the spotlight on what can happen if you accidently acquire a data breach. As part of the merger, Marriott acquired many new hotel brands but also unwittingly inherited a large-scale breach that affected approximately 500 million customers resulting from a hack of Starwood's customer reservation database prior to the acquisition deal.

According to a recent Forescout survey of IT and business decision-makers, 65% said they regretted making an acquisition because of a cybersecurity issue. But cybersecurity during M&A isn't just a point-in-time exercise. It should start with due diligence — but even more importantly, cybersecurity should be a key consideration in the entire integration process. That's the real heavy lifting when it comes to cybersecurity and M&A. 

Post-acquisition, there's lots of pressure on the CIO and other executives to get the integration done as quickly as possible so the company can realize the benefits of the deal. While IT sometimes gets a bad reputation for moving slowly during this process, in reality there are a lot of factors and complexity that go into making sure the integration is done smoothly and securely with minimal business disruption. 

Weaving cybersecurity throughout due diligence and then integration planning is a way to set reasonable expectations on the priorities and timing. With that in mind, here are five processes to address before, during, and after a merger or acquisition. Being able to explain "the why" behind each of these priorities and time frames in a way the business teams can understand is critical in each step.

1. Cybersecurity Due Diligence Is Key 
Cybersecurity due diligence should start before any deal is made. You're looking for cybersecurity issues that could rule out a deal or affect the sale price. For instance, Verizon knocked $350 million off of its purchase price for Yahoo after two data breaches were discovered. 

Our same survey revealed 73% said the discovery of an unknown data breach would be a deal breaker for an acquisition. To discover an unknown breach, you could engage a third-party auditor to conduct an internal cybersecurity assessment or do evaluations like a device audit. 

If it's a product or services company acquisition, I would also put particular emphasis on evaluating the product or service itself to make sure the risk posture is understood and acceptable — you first and foremost want to be sure that the very reason you are acquiring the company does not create risk to your customers or your reputation. For instance, when Marriott was in the process of merging with Starwood, perhaps further due diligence could have been run on Starwood's customer database to ensure that all guests' personal information and preferences were stored securely. 

2. Basic Integration for Day 1 Collaboration
Then, once the deal is closed, you get to the second and larger piece of the M&A process: the integration. Some of these tasks can move quickly thanks to the cloud, with tools like Office 365, Zoom, and Box. Getting systems like these integrated right from the start takes a lot of the pressure off the CIO because new team members are able to start collaborating and doing simple tasks like scheduling meetings and sending emails with their new colleagues right away. 

3. Comprehensive Integration Across Infrastructure, Security, Access
The deeper, more strategic work comes after that and this is really a joint effort with the business. This is the time when you have to take a step back and focus on the integration from an infrastructure, security and access perspective in order to ensure alignment across the organizations and to identify hidden sources of risk.

You can't rush this without potentially introducing new risk. IT and business decision-makers identified the top areas of risk during integration as human error and configuration weakness (51%), connected devices (50%), and data management and storage systems (49%), according to Forescout's survey. You have to go system by system and connect them, making sure data is kept secure and each person has the right access.

Although the technical integration is rarely as fast as the business would like, it is the easier piece of the process. More often, it's things like systems and data access, new work processes, data migration, business impact (such as release cycles and end of quarter), and change management that will slow progress. Let's face it, there is never a good time to do these things. 

4. Cultural Integration
You also have to factor in the cultures of the two organizations. One organization might have a more mature security posture than the other. Or they may be very married to the way they do things and don't want to change. In other cases, you may have to integrate very different business models or capabilities into a single system. But in any situation, you have to bring everyone to the table and work together as one team.  

5. Rinse, Repeat, and Refine
The important thing to remember in all of this is that both the threat landscape and your IT environment and systems are always changing and evolving. While it's important to incorporate cybersecurity into due diligence and the initial integration, it's a process that you will have to continue throughout the full lifetime of the organization. 

Related Content:

Check out The Edge, Dark Reading's new section for features, threat data, and in-depth perspectives. Today's story: "4 Ways to Soothe a Stressed-Out Incident Response Team"

With more than two decades of experience driving global operational capabilities across some of the world's largest cybersecurity and IT brands, Julie leads the people, business, and technology operations at Forescout. Julie has extensive operational and technical leadership ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mobile Banking Malware Up 50% in First Half of 2019
Kelly Sheridan, Staff Editor, Dark Reading,  1/17/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
New Attack Campaigns Suggest Emotet Threat Is Far From Over
Jai Vijayan, Contributing Writer,  1/16/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
How Enterprises are Attacking the Cybersecurity Problem
How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20399
PUBLISHED: 2020-01-23
A timing vulnerability in the Scalar::check_overflow function in Parity libsecp256k1-rs before 0.3.1 potentially allows an attacker to leak information via a side-channel attack.
CVE-2020-7915
PUBLISHED: 2020-01-22
An issue was discovered on Eaton 5P 850 devices. The Ubicacion SAI field allows XSS attacks by an administrator.
CVE-2019-20391
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r3 in the function resolve_feature_value() when an if-feature statement is used inside a bit. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20392
PUBLISHED: 2020-01-22
An invalid memory access flaw is present in libyang before v1.0-r1 in the function resolve_feature_value() when an if-feature statement is used inside a list key node, and the feature used is not defined. Applications that use libyang to parse untrusted input yang files may crash.
CVE-2019-20393
PUBLISHED: 2020-01-22
A double-free is present in libyang before v1.0-r1 in the function yyparse() when an empty description is used. Applications that use libyang to parse untrusted input yang files may be vulnerable to this flaw, which would cause a crash or potentially code execution.