Mitigating Cybersecurity Risks During Mergers and Acquisitions
Solutions Review’s Expert Insights Series is a collection of contributed articles written by industry experts in enterprise software categories. Ellen Sundra of Forescout scouts ahead and marks a path for navigating cybersecurity risks during mergers and acquisitions.
Corporate mergers and acquisitions are bound to increase during these uncertain economic times. As fledgling companies struggle to secure loans and investments at higher interest rates, more established companies will capitalize on the opportunity to buy them. However, typical M&A activity, such as reviewing balance sheets, contracts, intellectual property, and so forth, often overlooks cybersecurity risk until later in the process and struggles to gain visibility into the newly acquired company.
When one company acquires another, it inherits its cybersecurity risk– and this risk can be significant. For example, when Verizon was acquiring Yahoo, two massive Yahoo breaches resulted in a $350 million price cut. Recently, Activision confirmed a data breach that occurred during its acquisition by Microsoft. Even if a breach does not occur, the lack of visibility into cybersecurity risk can delay integration between both companies, negatively impacting productivity.
When a company is being acquired, it is often reluctant to open access to its networks until the deal is done; sometimes because of mistrust and other times because the company getting acquired doesn’t want to be exposed for lack of best practices. Read on for some of the most common cybersecurity risks during mergers and acquisitions and how to mitigate them.
Common Cybersecurity Risks During Mergers and Acquisitions
Numerous endpoints often go undetected on almost any network. Many of these devices are unmanaged or unknown (e.g., IoT, operational technology (OT), and rogue devices), but managed devices may also go undetected if they have broken agents. There are many reasons agents stop working, particularly during a merger when you might be making changes to the environment, servers, or endpoint configurations that all increase the potential for issues. When an agent breaks, it can result in a loss of visibility and control over that device, application, or network, creating risk.
Combing networks increases the attack landscape and the potential for more entry points into the network. Many companies rely on network segmentation to divide the network into smaller areas to control access and minimize the “blast radius” if an attack does occur. During a merger, bringing networks together requires changes that allow for traffic to flow between networks, increasing the possibility of unmanaged vulnerable endpoints having increased access to corporate servers or other connected devices. This can make it easier for cyber attackers to access the unmanaged endpoints and move laterally across the network to the more critical resources.
Unauthorized applications (i.e., shadow IT) are not approved or sanctioned by the company’s IT department and are often used without proper security controls or compliance with security policies. During a merger or acquisition, both companies may have different application usage policies, which can introduce unauthorized applications. These applications may use insecure transport methods, such as FTP or Telnet, which do not meet the security standards of the acquiring company, creating vulnerabilities that cyber attackers can exploit.
Conducting Cybersecurity Due Diligence
Cybersecurity due diligence during a merger or acquisition may be easier said than done. Still, there are a few steps an organization can take to identify any potential gaps or vulnerabilities that may exist. First, the acquiring organization should conduct a cybersecurity assessment, and they should also plan to achieve these assessments regularly– continuous monitoring is a foundation of cybersecurity.
A comprehensive approach to security assessments includes thoroughly examining the IT infrastructure, applications, security controls, policies, and procedures. In addition to assessing the security posture of the merged entity, it is crucial to assess the security posture of any third-party vendors or partners with access to the network or data. Creating a device inventory is an essential step in the security assessment process. A device inventory provides a comprehensive list of all devices connected to the network, including servers, workstations, printers, and other networked devices.
By creating a device inventory, companies can identify potential vulnerabilities, such as unpatched software, outdated operating systems, or unauthorized devices, and develop strategies to mitigate them. The device inventory can also help ensure that all devices are managed and secured per company policies and standards. Next, the acquiring company should develop a detailed plan to integrate the IT infrastructures of the two companies, including a timeline for the integration process and a list of tasks to be completed. The plan should also include specific measures to address the risks identified during due diligence, such as broken agents, misconfigured network segments, and unauthorized applications. Beyond the technology, this operational process requires key stakeholders to work together across departments and between companies to fully consider the complex dynamics between systems.
Automate – Orchestrate – Integrate
Companies should consider standardizing their security solutions to improve the sharing of intelligence and automate network access control and endpoint remediation. This includes using a single security platform, such as a network monitoring solution, to provide centralized visibility and control across the merged network. An automated security solution can simplify the integration process by automating tasks such as device discovery, policy enforcement, and configuration management. It can also provide centralized visibility and control across the merged network, allowing security teams to quickly identify and remediate potential threats. Orchestrating security solutions can also help to ensure that security policies and controls are consistent across the merged network, reducing the risk of gaps or areas of vulnerability. By automating and orchestrating security solutions, companies can enhance the effectiveness and efficiency of their security operations, reducing the risk of cyber-attacks and improving overall security posture– both during mergers and acquisitions and beyond.
Integrating networks is complex because many security solutions cannot share intelligence or automate enforcement and remediation actions. Threat actors are aware that merging networks creates weak points, so once news of a deal becomes public, it becomes an attractive target for attack. Managing cybersecurity risk during mergers and acquisitions is a combination of technology and operational processes across many complex systems. The sooner the acquiring organization can gain visibility into these systems, the sooner they can begin addressing their risks.
Ellen Sundra
Ellen Sundra is the Chief Customer Officer. Ellen has excelled in multiple roles at Forescout, most recently as SVP of Systems Engineering and Enablement where she helped commercial and public sector customers. She brings over 25 years of experience in the cybersecurity industry and was recently named one of the Top 25 Women in Cyber by Cyber Defense Magazine. Prior to joining Forescout, Ellen was a network architect and security advisor with iPass, UUNet and WorldCom. Ellen earned a Bachelor of Arts in computer science from Rollins College and is a Certified Information Systems Security Professional (CISSP).
