Cybersecurity no longer merger afterthought

As little as four years ago, only about a third of companies considered cybersecurity when planning a merger. Today, that percentage has flipped

As little as four years ago, only about a third of companies considered cybersecurity when planning a merger. Today, that percentage has flipped.

"When you look at mergers where one big company buys another big company, I'd estimate that the cybersecurity teams do get involved about 60 percent of the time prior to the acquisition being executed," said John Pescatore, director of emerging trends at SANS Institute.

A number of high-profile breaches have alerted corporate executives to the potential risks of data breaches.

Last year, for example, attackers hit Pacnet, an Asian telecom provider, two weeks before Telstra bought it for nearly $700 million -- but Telstra didn't learn about the breach until the deal was closed.

In 2014, TripAdvisor learned shortly after its $200 million acquisition of travel site Viator that attackers had stolen information on 1.4 million customers. It found out about the problem not as a result of its own investigations, but when its payment card service started noting unauthorized charges on customer credit cards.

"It's absolutely a risk that people are talking about," said Stephen Boyer, CTO and co-founder at security vendor BitSight Technologies

In fact, unless a breach involved personally identifiable information, a company may not have had to report it at all.

It "would be nuts" to rely just on public reports, Pescatore said.

"They send audit teams in for finance, and they should send audit teams in for security as well," he said.

David Barton, CISO at security vendor Forcepoint

One common mistake with a merger is to handle the cybersecurity via a checklist, said JB Rambaud, managing director at law firm Stroz Friedberg, LLC.

"People are starting to realize that a checklist process is not working," he said. "If I ask you, is this encrypted, is this segmented, you may answer that yes it is encrypted, yes it is segmented -- but the segmentation has seven different layers. It's very difficult to simplify the process and create the form and get it right."

The due diligence team needs to have the expertise to be able to delve into the small details, he added. "This is too material to be skipped over."

Address risks early

If the pre-merger investigation uncovers significant risks, they should be addressed right away.

"If you have identified risks during the due diligence, you need to mitigate that, so when you connect your networks that risk is gone," said David Barton, CISO at security vendor Forcepoint. Forcepoint is the product of a recent merger between Raytheon and Websense.

Otherwise, by connecting two corporate networks, the entire combined company is now vulnerable to that new risk. In addition, the merger itself may create new opportunities for attackers.

"Every time you've got a mismatch in technology and methodologies in terms of mitigating risk, you have an opportunity for failure," he said. "The problem with cybersecurity is if you miss a little detail, it could turn into something huge. It's incumbent on you to make sure you don't miss those things."

And if the investigation process uncovers an ongoing breach, the merger needs to be paused, said JB Rambaud, managing director at Stroz Friedberg.

"You work with the incident response team and work with external counsel to understand the extent of the breach, and mitigate the extent of the risk first, patch the holes," he said said. "And if everyone understands how much it will cost to mitigate that risk completely, then you can include it as part of the cost of the M&A."

BitSight's Boyer said he hasn't heard of a case in which a cybersecurity audit resulted in a merger being called off.

"But the cybersecurity posture can definitely impact a deal and how much a company is willing to pay for a deal," he said.

Prepare for increased phishing and other attacks

In the lead-up to a merger as well as during and immediately afterwards, employees will expect to get questions and communications from people they don't know, including auditors, consultants, and employees at the other company.

Privileged users in particular should expect to get targeted, sophisticated attacks, said Pescatore.

This is also an opportunity to check if both companies have phishing education programs in place, and to address any shortcomings of the weaker program.

Attackers could also go after third-party targets, said Chris Coleman, CEO at LookingGlass Cyber Solutions. Those include legal firms working on the acquisition, other vendors involved in the process, and even cloud-based service providers.

"I've witnessed a lot of situations where adversaries were actually targeting law firms to get M&A information," said Coleman, whose company did three acquisitions last year.

Join the CSO newsletter!

Error: Please check your email address.

More about CSOSANS InstituteWebsense

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Maria Korolov

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts