By Andrew Kays, CEO of threat detection and response company, Socura
Global auditing giant, PWC, reports that 2021 has been a record year for global mergers and acquisitions (M&A). Over 62,000 deals were announced in these 12 months alone, up a remarkable 24% in 2020. year to year.
No two mergers or acquisitions are quite the same, nor are the challenges associated with them, but cybersecurity remains a major hurdle companies must overcome in every M&A transaction. Security can take significant resources to get right, it can completely derail transactions during the due diligence phase or prove to be costly monitoring later on.
The recent Okta data breach is a good example of M&A acquisition issues and how cybersecurity can slip through the cracks. Okta blamed the data breach on IT provider Sitel, which acknowledges the data breach but says a former Sykes-owned network was at fault. Sykes is a company that Sitel acquired several months before the breach. The case discusses the difficulties of assessing another company’s security processes before engagement, the risks of it having skeletons in the closet that could fall at any time, and the unique opportunity that mergers and acquisitions present threat actors looking for potential targets.
Broadly speaking, the cybersecurity dangers that arise in M&A situations can be broken down before, during, and after the merger. There are also unique security challenges depending on the M&A scenario, for example. if a large company buys a smaller one, two companies of similar size merge, or a company expands into new regions through acquisition.
Due diligence – easier said than done
A business being acquired can easily pull together financial forecasts, historical profit and loss statements, budgets, and product pipelines. They will be thoroughly assessed during the due diligence stage of an acquisition. Cybersecurity is a completely different beast. A company will need to disclose data breaches and describe its security processes and technologies. For example, if he was hit by ransomware 12 months before the acquisition, he would have to disclose the fact. However, many companies don’t find out that their networks have been hacked by an attacker until months later. Additionally, a historical “clean bill of health” does not guarantee that the company has not fallen into the crosshairs of an attacker more recently.
There is also an inherent level of trust required when one company acquires another. They must be certain that the information provided is accurate and up-to-date. When the money is on the table and a company is evaluating a significant offer or investment, there is an incentive to paint a rosier picture than the reality. An unscrupulous person could be less than 100% transparent on an issue like cybersecurity if there is even a remote chance that they could sabotage a deal.
During mergers and acquisitions
When two companies become one, there are always complications and compromises. The process can be tumultuous, which is bad news for blue security teams, defenders, who prefer stability and predictability. Chaos makes good security harder to find. For example, security teams regularly assess normal/good behaviors of employees and systems, so they can identify anomalies and potential malicious actions. During a merger, when people’s businesses, the systems they use, and the roles they perform are all in flux, anomaly detection becomes much more difficult. Attackers know this too and will actively target companies that pursue M&A activity knowing they have a better chance of going undetected. Chaos can act as their smokescreen.
Securing a business, or multiple businesses, during a time of flux is hard work. It often happens that a company has a certain way of doing something, which newly onboarded employees either don’t agree with or can’t replicate. One company may have tools, processes, and technology that the other doesn’t know about, struggles to adopt, refuses to implement, or needs training. Any type of non-compliance leaves cracks in defenses, while additional training takes resources. daily security operations.
Employee turnover is also a problem. When staff change roles, are fired or resign as a result of a merger, it can have a profound impact on security. Alerts and incidents can slip through the cracks if someone who was handling them is no longer with the company. Or previously well-defined chains of command may be broken or disrupted. This can be of great consequence when it comes to responding to a data breach, when it is imperative that a business limits the time between detection and response, and thus limits the damage caused.
If a large company acquires a smaller one, the smaller one will generally inherit the security policies of the “bigger fish”, which is to its significant advantage. Post-merger, the small company suddenly has much more mature security policies and a larger budget for security tools, technology, and resources to leverage. However, the benefits are reversed for large business. Smaller companies’ relatively immature security policies are a risk. Their employees may not be used to their more secure working methods or tools, and may make mistakes that lead to cyber incidents. If an employee is at risk of losing their job after a merger and acquisition, they may even become an insider threat. They can download files for future use elsewhere, inadvertently leak or lose data, or even provide network access in the worst case scenario.
If two companies of similar size merge, it is not true that one is simply adopting the security policies and expertise of the other. This is usually a more complicated question, with a less clear result. Both companies are likely to fight to keep doing things their own way. Unfortunately, security teams can be fiercely dogmatic about the technologies, vendors, and ways of working they choose. This tension can create disgruntled and disgruntled employees, who are forced to work with security tools they don’t like, trust, or don’t yet know how to use proficiently. This is less than ideal and can again drain resources or lead to cyber incidents later on.
How to Mitigate Cyber Threats from M&As
Due diligence is essential before embarking on an M&A, and it is extremely important that security is carefully assessed during the process. Although cybersecurity cannot be analyzed as simply as a profit and loss account, it is essential that companies do their best to ingest as much data as possible from their employees, endpoints, networks and cloud applications. This is the best way to ensure an overview without any blind spots.
During and after mergers and acquisitions, companies need to ensure that they continuously monitor this data 24/7. This way, they can react to data breaches in their early stages and limit the impact as much as possible.
As for overcoming the technical and personal challenges of the M&A flow, it is all about mitigating the problems, because they cannot be avoided out of hand. Management naturally wants to break down silos, they want everyone and every department to use the same technologies, processes and systems as each other. IT tools and teams will be merged as soon as possible, for the sake of efficiency. However, some degree of technical segmentation is possible, so that a breach in a previously unconnected department does not have serious ramifications for others. There are segmentation models such as Purdue’s, although this is mostly applied to critical infrastructure.
It’s also essential that security teams have comprehensive monitoring of the entire domain, no matter how small. They should put controls in place to analyze traffic, spot malicious activity, and limit traffic. Security teams also need to prioritize rules and automation as much as possible before M&As end, so they’re not constantly fighting fires. They need additional bandwidth to respond to potential incidents.
2022 promises to be another strong year for global M&A activity, but it’s important the industry learns from incidents like the Okta breach. If not taken seriously, security can undermine all the good work and business benefits of any M&A deal.