Technology and data are at the heart of almost every business. Cybersecurity should be a concern at the same priority level as legal and financial considerations when contemplating any merger or acquisition. As the number of mergers and acquisitions increases every year, so do the dollar amounts associated with such transactions. In 2018, the value of announced mergers reached nearly $3.9 trillion, with an average deal size of $384 million. With deals this size, companies risk a lot by not having a thorough approach.
By Greg Reber, CEO/Founder, AsTech Consulting/ former Partner at Moss Adams
During the past five years, we’ve seen a number of merger and acquisition deals where companies acquired organizations without performing adequate information security digital due diligence, only to discover woefully inadequate security of assets and even previously unknown breaches – Verizon and Yahoo, Marriott and Starwood come to mind. The consequences of these breaches become the responsibility of the new owner. As a result, the buying company must address these issues, leading to potential financial consequences not taken into consideration when determining the original acquisition pricing.
Often, these security vulnerabilities exist in the actual source code of internet applications or software packages that the buyer intends to acquire to complement their technology to expand market share. Sellers have to realize that not disclosing these issues could delay or reduce payments as the depth of the problems is understood.
Preparing for a Merger or Acquisition
So, what can be done to lower these risks? Depending on the type of business, you may want to emphasize different aspects of the target company. Below are steps to consider including in the due diligence process for different transaction scenarios.
1. Buying Any Company: Understand Security Policies and Processes
Every company should have a defined security program in place and be able to demonstrate its appropriateness to the company’s needs. Acquiring companies will want to know how seriously a target company has approached securing its assets and request a review of the security program for components such as:
- Data classification schema that drives data handling policies
- Incident response procedures and recent test results
- User awareness efforts, especially as they relate to suspicious emails
- Security organization and coordination of functional responsibilities
Many companies are beholden to compliance frameworks such as the Federal Deposit Insurance Corporation (FDIC), Health Insurance Portability and Accountability Act (HIPAA), or Payment Card Industry Data Security Standards (PCI DSS) and may provide reports on security compliance. Those that don’t should have the acquiring company thoroughly review their programs’ documentation and interview key employees to understand the security posture of the target company.
2. Buying a Software Company or Product: Assess the Security at the Source Code Level
Several researchers pointed out that source code security issues overtook network security vulnerabilities as the top attack vector. These issues may be easy targets for nefarious actors who know how to exploit them because network or perimeter security measures are more mature than software security measures.
To assess software vulnerability, begin with mapping the attack surface of the target applications by looking at how security is handled at data ingress and egress points. These include authentication and authorization components providing log in and authorization privileges, calls to databases, and data collection pages. From there, an adequate assessment will consider what the program does with the data it acquires and assist in confirming that it’s encrypted in transit and when it’s at rest.
Automated tools can quickly scan the software and typically identify half the types of vulnerabilities present. To achieve a comprehensive understanding of the security footprint of a website or application, the automated scan, combined with a manual inspection of the source code, will identify security issues within the source code. A business logic assessment (BLA) focuses on discovering built-in vulnerabilities that aren’t coding vulnerabilities but present risks due to as-designed application logic flaws.
3. Buying a Company that Comes with IT Infrastructure: Assess Network Security
Networks and IT infrastructures are a favorite target for culprits attempting to infiltrate a company to steal information. At a minimum, automated tools should also be used to perform a scan of networks, both internally and externally, to discover vulnerabilities that may be exploited.
As with source code scanning, if these automated scans expose lax security within the target network, a deeper dive performed by security advisors may be warranted. These individuals review firewall and server configurations and look at the network architecture and its design to compare it to best security practices.
The 2014 Target stores breach demonstrates the importance of this discovery process. The retailer’s heating, ventilation, and air conditioning vendors was hacked, and because there was inadequate segmentation in the Target network architecture, the culprits gained access to Target’s entire network even though the company only required access to environmental control systems within store locations. These functions could have been isolated within Target’s network. The breach resulted in more than $200 million in damages.
Bringing cybersecurity professionals with expertise in all aspects of information security — source code and website, infrastructure, and programmatic security — to your due diligence team can further help protect your company and identify overlooked risks. An advisor can help find vulnerabilities and vet them against real-world risk. For example, their analysis will reduce potential false-positive security issues that most automated tools call out.
Source code security professionals should have software development backgrounds, so they understand how software development processes work. This allows them to hone in on vulnerabilities in the source code, determine how much risk they present to the company, and the level of effort to remediate them.
By taking these due diligence steps you can move your transaction forward with confidence and focus on planning for the future of your combined business.
About the author
Greg Reber has specialized in IT security consulting since 1995. His expertise includes building effective risk management practices, developing information security programs, C-level security consulting for information security organizations, and merger and acquisition security due diligence.
Views expressed in this article are personal. The facts, opinions, and language in the article do not reflect the views of CISO MAG and CISO MAG does not assume any responsibility or liability for the same.