By Andrew Kays, CEO at threat detection and response business, Socura
Global auditing giant, PWC, reports that 2021 was a record-breaking year for global mergers and acquisitions (M&A). There were more than 62,000 deals announced in those 12 months alone, up a remarkable 24% in 2020. It’s a flourishing market in terms of scale, but also one of great complexity and variety, both of which increase with every passing year.
No merger or acquisition is quite the same, nor are the challenges therein, but cybersecurity remains a major hurdle for businesses to overcome in every M&A deal. Security can take significant resources to get right, it can derail deals entirely in the due diligence phase, or prove a costly oversight later down the line.
The recent Okta data breach is a good example of M&A acquisition woes and how cybersecurity can slip through the cracks. Okta has laid the blame for the data breach with IT supplier, Sitel, which acknowledges the data breach but claims that a legacy network belonging to Sykes was at fault. Sykes is a company that Sitel acquired several months before the breach. The case speaks to the difficulties of assessing another company’s security processes prior to engagement, the risks that they have skeletons in the closet that could fall out anytime, as well as the unique opportunity that M&A presents to threat actors looking for potential targets.
Broadly speaking, the cybersecurity dangers that occur in M&A situations can be broken down by before, during and after M&A. There are also unique security challenges depending on the M&A scenario, eg. if a large company is buying a smaller one, two similarly sized companies merge, or a company is expanding into new regions through acquisition.
Due diligence – easier said than done
A company being acquired can easily pull together financial forecasts, historic profit and loss statements, budgets, and product pipelines. They will be assessed in great depth during the due diligence stage of an acquisition. Cybersecurity is a different beast entirely. A company will need to disclose data breaches, and outline its security processes and technologies. For instance, if it was hit by ransomware 12 months before the acquisition, it would need to disclose the fact. However, many companies do not discover that their networks were breached by an attacker until months later. Also, a historic ‘clean bill of health’ is no guarantee that the company hasn’t fallen into an attacker’s crosshairs more recently.
There is also an inherent level of trust required when one company acquires another. They have to have confidence that the information provided is accurate and up-to-date. When money is on the table, and a company is weighing up a sizable offer or investment, there is an incentive to paint a more rosy picture than the reality. Someone unscrupulous could be less than 100% transparent on an issue like cybersecurity if there is even a remote chance that it could scupper a deal.
When two companies become one, there are always complications and compromises. The process can be tumultuous, which is bad news for security blue teams, the defenders, who prefer stability and predictability. Chaos makes good security harder to come by. For instance, security teams regularly benchmark normal / good behaviour among employees and systems, so that they can identify anomalies and potential malicious actions. During a merger, when people’s activities, the systems they use, and the roles they perform are all in flux – spotting anomalies becomes much harder. Attackers know this too, and will actively target businesses that are pursuing M&A activity knowing that they stand a better chance of remaining undetected. The chaos can act as their smokescreen.
Securing a company, or multiple companies, during a period of flux is hard work. It is often the case that one company will have a certain way of doing something, which the newly onboarded employees disagree with or cannot replicate. One company may have tools, processes and technology that the other is not familiar with, struggles to adopt, declines to implement, or needs to be trained in. Any kind of non-compliance leaves cracks in defences, while the extra training takes resources away from day-to-day security operations.
Employee churn is also a problem. When members of staff change their role, are made redundant, or quit as a result of a merger, this can have a profound impact on security. Alerts and incidents may slip through the cracks if someone who used to manage them is no longer at the company. Or previously well-defined chains of command may become broken or disrupted. That can be of great consequence when responding to a data breach, when it is imperative that a company limits the time between detection and response, and thereby limit the damage done.
If a larger company acquires a smaller one, the smaller one will usually inherit the security policies of the ‘bigger fish’, which is to their significant advantage. After the merger, the smaller business suddenly has far more mature security policies, and a bigger budget for security tools, technologies and resources to tap into. However, the benefits are reversed for the big company. The relatively immature security policies of the smaller business represent a risk. Their employees may not be used to their more secure ways of working, or their tools, and may make mistakes that lead to cyber incidents. If an employee is risking losing their job after M&A, they could even become an insider threat. They may download files for future use elsewhere, inadvertently leak or lose data, or even provide access to the network in the worst-case scenario.
If two similarly sized companies merge, it is not the case that one simply adopts the security policies and expertise of the other. It is usually a more complicated matter, with a less clear result. Both companies will likely put up a fight to continue doing things their way. Unfortunately, security teams can be fiercely dogmatic when it comes to their chosen technologies, vendors, and methods of working. This tension can create disgruntled and unhappy employees, who are forced to work with security tools they don’t like, don’t trust or don’t yet know how to use competently. It’s far from ideal, and can again drain resources or lead to cyber incidents later down the line.
How to mitigate the cyber threats of M&A
Due diligence is vital before embarking on M&A, and it’s vitally important that security is thoroughly assessed during the process. While cyber security cannot be analysed as simply as a profit and loss statement, it’s vital that companies do their best to ingest as much data as possible from their employees, endpoints, network, and cloud applications. This is the best way of ensuring a view of the bigger picture without any blind spots.
During and after M&A, businesses need to make sure that they are continuously monitoring this data 24/7. This way they can react to data breaches in their infancy and limit the impact as much as possible.
As for overcoming the personnel and technical challenges of M&A flux, it’s a case of mitigating the issues, since they can’t be avoided outright. Management naturally wants to break down silos, they want everyone and every department to be using the same tech, processes and systems as each other. IT tools and teams will be merged as soon as possible, for the sake of efficiency. However, some degree of technical segmentation is possible, so that a breach in one previously unconnected department doesn’t have serious ramifications for others. There are models for segmentation such as Purdue’s, although this is mostly applied for critical infrastructure.
It’s also vital that security teams have complete oversight of the entire estate, no matter how big it has grown. They must have the controls put in place to analyse traffic, spot malicious activity and limit traffic. Security teams also need to prioritise rules and automation as much as possible before M&A is complete, so that they are not constantly fighting fires. They need to have some extra bandwidth to respond to potential incidents.
2022 promises to be another strong year for global M&A activity, but it’s important that the industry learns its lesson from incidents like the Okta breach. If not treated seriously, security can undermine all the good work and business benefits of any M&A deal.