5 Steps to Ensure You Don't Acquire Your Next Data Breach
By David Monnier, CIO at Team Cymru
In your next M&A, will you unknowingly acquire a company that causes your next data breach?
No company wants to end up as a headline for a data breach, but today we’re seeing more headlines like “After data breaches, Verizon knocks $350M off Yahoo sale, now valued at $4.48B,” or “Marriott Faces $123 Million Fine For 2018 Mega-Breach” from a compromise that went undetected in a company acquired two years previous. In a world where cyberattacks are on the rise, organizations need to be especially vigilant in their security practices, yet many invite attackers to come right along with an acquired company.
It's critical to the success of your M&A and the future of your company to ensure that you understand your target company's approach to security and the risk they bring. The following five steps will guide you through the cybersecurity due diligence process so that you don't inherit your next data breach.
1: Define the scope and objectives of the process
First, determine the objectives for your cybersecurity due diligence process. Ultimately, your primary objective will be to better understand the risk the acquisition carries, but you need a plan in order to do that. Start by integrating cybersecurity into your M&A process as early as you can so that you can maintain strategic alignment with your overall business goals. Additionally, involve cybersecurity experts early and utilize them throughout the entire process.
As you make a plan for due diligence, don’t just focus on compliance, but use a comprehensive approach that includes both technical and non-technical assessments. Your assessment should include looking at how the target company manages their data, who has access to that data, and how their data is stored. Learn more about their cloud environments and how they secure them — especially when 56% of organizations saw an increase in cloud attacks in 2022. Ask about their network architecture, device management, and threat detection and response strategies. If applicable, investigate their use of IoT and other connected devices, especially when 98% of IoT device traffic is unencrypted. Find out what frameworks they have in place (or don't). And since 61% of companies don’t have an inventory of what confidential information they share with their third-party vendors, assess the risk the target company's third-party partners bring as well.
Consider, too, if the target company has different organizational, cultural, technological, and procedural complexities, or if they manage any sensitive data that will need to be considered.
2: Collect and review relevant documentation
Now that you know the questions you need answering, start by collecting and reviewing all documentation related to the target company's cybersecurity posture. First, create a comprehensive checklist of the documents you’ll need, which may include their policies and procedures, diagrams of their network, their incident response plans, and any audit reports. Don’t ignore third-party risk or overlook insider threats either, and don’t neglect technical details as well.
As you review, trust but verify the documentation provided to you to ensure no discrepancies or inconsistencies. Use the data you collect to identify gaps in their security or risks they may pose. Of course, avoid relying on self-reported information, and ask about their process for documentation as well.
3: Conduct interviews with key stakeholders
Next, conduct interviews with key stakeholders at the target company, such as the CISO, IT staff, and business stakeholders. These interviews can provide valuable insights into the target company's security posture, help you understand how they manage security, what tools they use, what training is in place, and what tabletop exercises or drills they run.
As you prepare for your interviews, ensure that all applicable stakeholders are identified so that you don’t have gaps in your understanding. Create a comprehensive list of questions that cover all topics relevant to both their security posture and the M&A’s business objectives. Avoid asking leading questions that can introduce bias or incomplete information, and focus on gaining a holistic view of the people, processes, and technology. Don’t forget to document the responses as well.
4: Conduct technical testing
Next, conduct technical testing — like vulnerability scans, penetration testing, and other technical assessments — to identify any potential security vulnerabilities in the target company's network and systems. Use a comprehensive approach to technical testing that includes both automation and manual testing, with the proper permissions, and focus on key risk areas associated with the M&A, like ensuring internet-facing assets aren’t exposed. Use realistic attack scenarios during your testing to identify vulnerabilities that could be exploited by attackers, and test both external and internal threats as well. Finally, document the findings from your testing into a consolidated report, and address them before the M&A is complete.
5: Develop a plan for addressing identified risks
Now that your questions have been answered and your testing complete, it's time to make plans for addressing the risks you’ve identified. First, prioritize risks based on their potential impact to the M&A and overall posture of the acquiring company, and develop clear and measurable objectives to address them. Collaborate with the target company to ensure the risk mitigation plan is feasible and can be addressed within the M&A timeline. Once complete, test the plan using automation wherever possible to ensure it’s efficient and effective. Of course, communicate well during the process and revise the plan as needed.
Avoid integrating their security measures too quickly or without evaluating how it will map onto yours, which can lead to a disjointed, misaligned, and ineffective combined cybersecurity strategy. Don’t ignore the root causes of the vulnerabilities you find or overlook third-party risks, either.
Staying Safe and Out of the Headlines
An M&A is a massive undertaking, and a major business deal. Considering that 65% of organizations have regrets over their M&A deal due to cybersecurity concerns, make sure that you're approaching it with all the information you need in order to proceed with your M&A wisely — and to stay out of the news.
David Monnier is CIO, Chief Evangelist, and Fellow at Team Cymru who has 20+ yrs experience in cyber intelligence and has presented keynote insights more than 100 times in over 30 countries.
The views and opinions expressed herein are the views and opinions of the author and do not necessarily reflect those of Nasdaq, Inc.