Given both the economic and political uncertainty here in
the United States largely because of the tariffs, Merger and Acquisition
activity has slowed down. It is by no means
as robust as it once was since last year, but here and there it is
happening.
Even in the Cybersecurity world, it is still
happening. While it may sound like all
glitz and glamor that one company is buying out another, there is a lot that goes
behind the scenes, there is also a lot of risk as well.
Since there is not a lot written about it, I am going to
talk about it here, in this blog. There
are a few of them, so here they are:
1) The
Due Diligence:
Most C-Suite is obsessed
with such things as the bottom line, valuation, what the acquisition of new
products and services brings to the table, getting a big customer base,
etc. But there are other things to think
about here as well. But when it comes to
the digital assets, Due Diligence is a sheer must. The best way to get started on this is to
conduct a Risk Assessment of the company that you are about to acquire, just
like you have done for your own digital assets (hopefully). Apart from finding any vulnerabilities or
gaps, you need to assess the following as well:
Ø Existing
security policies, and any that are in the pipeline.
Ø The
history of their compliance. For
example, are they “clean” with regards to the data privacy laws? If not, what steps are they taking to correct
that?
Ø What
is the password policy like? Are they making
use of a Password Manager?
Ø What
are the Identity Access Management (IAM) and Privileged Access Management (PAM)
like? Are they being strictly enforced?
If you do not do a comprehensive
check of all of this, you will be held responsible for any security
that may occur down the road.
2) Access
Control:
Although this was just described,
you must fully ensure that whatever IAM and PAM policies of the company that you
are about to buy are fully compatible with what you have. If not, login credentials can easily get heisted,
and if the merger is made public, the Cyberattacker will be on the hunt for
this. Some things that you need to pay
attention to include the following very carefully:
Ø The
kinds of usernames and passwords that your new employees have used now, and in
the past.
Ø How
often the passwords have been reset.
Ø After
you buy out the company, if they still have access to those same login
credentials.
The best thing you can do in
this regard is to completely eradicate everything that they have had in the past,
but it is still important to see their previous login history and especially
take note if they have a rash of unsuccessful login attempts.
3) IT/Network
Infrastructures:
When you buy out that company,
you are not just getting the digital assets, but you are also getting their
entire IT and Network Infrastructure as well.
Before you just try to merge everything together, you need to determine
how much of it is On Prem and how much of it exists in the Cloud. Once you have determined all of that, you
then need to a phased in approach (technically, a sandboxed one) to make sure that
it will behave “nicely” with what you already have. The bottom line is that you need to make sure
that once you finally merge everything over, you need to do another full-blown
Penetration Test to make sure that there are no new gaps and vulnerabilities
that have just popped up. If they have,
then you need to immediately remediate them.
4) Social
Engineering:
Just after the M and an
activity has transpired, this is yet another prime time for the Cyberattacker
to make their move. This is where Social
Engineering comes into play. They know
that everybody will be at one of their weakest moments at this point in
time, thus they can easily pray on vulnerable
emotions. Before and after, and even in the long term, you must train
both your own and the new employees in the tactics that the Cyberattacker can
use in this regard. You must enhance and
increase the frequency of your security awareness
training programs, especially when to comes to Phishing and Deepfakes.
5) The
Insider Threat:
Just before or after you
have merged the two entities together, unfortunately, there could be some layoffs
from employees. This could create some
negative feelings obviously, so therefore you will want to address this with the
employees who have been let go. Some ways
that you can cushion the blow include are offering a severance package, and
even career counseling. If
possible, try to locate them into a different
role after the merger, if at all possible.
Also, there is the threat of intentional data leakages or data exfiltration, so you will need to make
sure that the controls are in place for that as well, and that your IT Security
team is on a continual watch for any signs of abnormal or malicious behavior.
My Thoughts on This:
Well, there are some key tips on how you can cut down the
risks when you buy out another company.
However, it is also important to keep in mind that Mergers and Acquisitions
are not just about the bottom line.
There is also the human factor, and if you treat your new employees with
the respect and acknowledgement that they deserve, this will carry you a long
way in terms of being Cybersecurity safe.
No comments:
Post a Comment