“When it’s made public that a company is being acquired, it can make it a much larger target for bad actors. It is critical to plan and execute security improvements quickly.”
Morgan Demboski, threat intelligence analyst with IronNet, said that another top challenge for organizations acquiring another company is a lack of insight into documented assets, such as cybersecurity artifacts, technical documentation, and asset and data inventory.
“In the case we detected, the threat actors specifically targeted a network segment that was integrated through a prior company acquisition and contained legacy infrastructure,” said Bemboski. “Since this acquisition happened several years prior, there was likely not proper protocols and documentation in terms of technical infrastructure during the acquisition, and the network segment was likely forgotten about by the victim enterprise as a result. Though we do not know exactly how long the threat actor had access to the environment, it is apparent they were targeting the acquired network segment for a reason, likely to exploit the unmonitored legacy infrastructure within it.”
The processes needed to better understand key security risks facing a target company don’t end after an acquisition deal is signed and announced. For instance, Demboski said that when approaching the final integration phase, organizations must have a comprehensive integration strategy, as a lack of protocols can leave large security gaps when converging network systems. That includes dedicating time to asset/data identification, training, and planning the integration strategy to ensure nothing slips through the cracks, said Demboski, as well as establishing a governance model for ongoing incident handling and remediating any outstanding unpatched vulnerabilities.
The establishment of a security culture is one of the most important – and challenging – aspects of this integration phase, as different companies may have different views of the level of risk that they’re willing to take.
“It’s tough to change a culture,” said Christiansen. “In security we’re always looking at how we create a better, more aware culture. But when it comes to culture, it’s really interesting because at the business level there will be two cultures between the [acquiring and acquired] businesses. There might be a more risk averse and risk taking company. So you’ll start articulating those goals and getting them trained on your programs and what you expect. It’s all about encouraging behaviors.”
Across all these various stages of the M&A process, transparency is paramount, and both sides need to set clear expectations early on about priorities and how the companies are going to integrate, said Cisco’s Button.
“I can’t stress that enough,” said Button. “Without this both sides will struggle from day one. After that, it’s all about identifying, preferably before announcement, any vulnerabilities that need to be resolved in the acquiree’s people, process, or systems. Any or all three can be weak points that will need shoring up immediately.”