Why Mergers and Acquisitions Don’t Need to be a Security Professional’s Nightmare
A flurry of special purpose acquisition companies, mergers, and acquisitions during the last several years have created unexpected cybersecurity vulnerabilities that pose unique challenges for companies. As businesses bring new employees and assets into their organizations during these transactions, it leaves the door open to a vast risk of security breaches by expanding the attack surface.
One of the biggest liabilities that acquiring companies must take into consideration is how adequately the target company manages its cybersecurity health.
The phases in the merger and acquisition (M&A) process—due diligence, sign and announce, and integration (transition to operations)—each pose its own security threats. M&A cybersecurity downfalls are often the result of partially integrated businesses. The longer it takes to bring them together, the longer the risk exposure as it leaves a complex patchwork of systems containing security blind-spots and vulnerabilities. A hacker may gain access and lay dormant for years waiting to attack a newly integrated and weakened system.
Executives must be highly risk-averse and assume the acquiring side has already been compromised—protecting core business value pre and post integration must come first. Finding and mitigating those threats plays a crucial part in successfully navigating the process and acquiring the target company.
Having participated in more than 40 acquisitions, there are key security considerations for preventing cyber threats before, during, and after M&As. Below are insights on how organizations can gain visibility into all assets to mitigate risks.
Doing Your Due Diligence
The due diligence phase begins as soon as a target company has been identified for potential acquisition. Cybersecurity due diligence involves properly vetting targets prior to finalizing a deal by collecting insights into the target’s existing technology infrastructure.
The buying company needs as much information as possible in preparation to merge the target's technology assets with its own systems. Auditing is required to discover security issues, including improperly secured data, misconfigured networks and servers, out-of-date software, and unmanaged network assets to address them.
Artificial intelligence (AI) and machine learning (ML) technologies can eliminate the chances for human error when performing an audit and can catalog network and data assets more efficiently, uncovering potential security risks that might otherwise go unnoticed. But AI and ML technologies are only accurate and effective when using the right set of algorithms that are married to the correct set of data. This combination is what unlocks the ability to truly eliminate human errors and risk that would be unidentifiable without both working in tandem.
For the acquiring company, this phase is challenging because the target likely does not have the ability to share all the information needed to assess vulnerabilities before moving forward to the next phase due to proprietary and confidential data concerns should the deal fall apart.
Preparing for the Possible
The moment of greatest threat from outsiders is the moment of least visibility into the combined company. The window after the announcement of the merger—but before the companies have found and acted on the potential security risks—makes for an especially dangerous time. To reduce the risk of a security or data breach, both companies must gather and analyze as much information as possible to secure the target company's network and assets before falling victim to overlooked vulnerabilities.
Machines have an unprecedented record of beating humans in a couple of areas—object recognition and processing vast amounts of data.
Relying only on humans poses two risks: first, IT and security teams may not have the ability to move as quickly as attackers trying to break in should a threat occur. Second, there is an increased potential for IT to accidentally misconfigure critical security settings or miss critical updates that an automated system could complete at a much faster—and more accurate—pace.
The ability of humans to apply the acquired knowledge with a sense of logic, reasoning, understanding, learning, and experience is what makes us outpace AI. AI-powered machines make decisions based on events and their association with them.
Machines have an unprecedented record of beating humans in a couple of areas—object recognition and processing vast amounts of data. Сapsule Networks, invented by Geoff Hinton, almost cut in half the best previous error rate on a test that challenges software to recognize objects. Using an increased amount of these capsules over various scans allows the system to better identify an object, even if the view is different than those analyzed prior. This is the same ability used to identify misconfigurations and security updates on systems.
Hardening the Defense
As the combined companies work to merge their resources fully, the arms race against attackers kicks into high gear. To successfully merge the technology and data assets, the teams from the buying and target companies must cooperate with accurate data from the post-merger security audit.
Security and IT teams also need to ready themselves for social engineering attacks. Well-crafted phishing emails are a common tactic for attackers. It’s essential for companies to have a well-documented process for integrating the target company’s employees, along with a procedure for reporting suspicious email messages.
It’s impossible for humans to continuously monitor suspicious activity and unauthorized devices accessing the network reliably. IT and security teams can stay ahead of attackers by finding unknown assets and fixing potential weak points before attackers exploit them much faster than they could with the help of technological advancements. From spotting cyber threats to identifying malicious activity, AI and ML technologies enable predictive intelligence for organizations.
Joel Fulton is co-founder and CEO of Lucidum, an asset discovery platform. He is also the co-founder of Silicon Valley CISO Investments, a leading group of chief information security officers that operate as an angel investor syndicate.