M&A – Buying While Cyber Blind?
Mergers and acquisitions: Many organizations utilize these activities to move their business forward by expanding into different market segments or gaining competitive advantage with a unique offering.
But too often organizations move at the speed of business with the associated integration and onboarding processes. Speed can obscure critical security issues: What happens when you’re blind to the hidden risks that lie within the acquired company’s network, workstations, and employee base?
Build-in Secure Integration Time
Operating at the speed of business is something that is hard for most security teams to avoid. Security is often viewed as an impediment to making money. During an acquisition, the faster an organization can absorb and integrate the new company, the more quickly it can take advantage of the perceived benefits. So realistically, how am I able to recommend slowing down this process?
There are two aspects to consider with regard to securely integrating a new business into an existing network:
- Assessing the risk during negotiations
- Dealing with the risk after signing on the dotted line
As discussed, after the deal is signed it’s highly possible that you won’t have more than a few days or weeks to move everything over. This probably eliminates the ability of your security team to ensure everything is copacetic prior to integration. If you’re able to convince your management team to give you a few days to assess the situation, you’re one of the lucky ones.
On the other hand, there’s a great opportunity to get your security team involved in the M&A process ahead of the signed agreement. Understanding the risks associated with integrating two companies together from a cybersecurity perspective is paramount to the overall M&A risk profile. As such, organizations should look to perform a security assessment on their acquisition targets as part of the negotiation process.
Know What You’re Buying – Before You Buy
So with all of this hidden risk on the cybersecurity side, why aren’t more companies assessing this along with the financial risk calculations? Currently, there aren’t many good ways to do this. Regulatory assessments only go so far and, unfortunately, they are too often performed by companies and individuals who only see risk behind the veil of an audit methodology. Is there value in running through a checklist of questions to determine if anything about the environment is material? Sure there is. However, these types of examinations are not going to reveal the types of hidden risks I mentioned above.
At CrowdStrike, our approach to M&A Cyber Risk Assessment combines a compromise assessment and cybersecurity maturity assessment that help companies gain a better understanding of their cybersecurity risk profile for years. When I break down the questions these companies should be asking themselves when looking to make an M&A transaction, the two primary ones are:
- Is there any evidence that this organization is already breached or has been previously?
- Does the organization have a mature cybersecurity capability?
The first question really gets to the heart of the hidden risks of an acquisition. You wouldn’t buy a car or a house without first inspecting it. So why are organizations buying other companies without looking at the health of their networks? The current process is more like buying a car based on the sticker only If everything checks out financially and I think this car is going to help improve my life, that checks the box and I’m writing the check.
We recommend companies utilize a compromise assessment to answer this first question. The goal of a compromise assessment is to look at host artifacts and network traffic to identify evidence of past or current compromise. We partner this with our Falcon Host technology, which when deployed across the entirety of the customer’s endpoints, provides us near real-time visibility into activities on the hosts. This combination of analysis and monitoring allows us to determine, with a high degree of confidence, whether an organization is currently compromised. This answers question number one and is the question that most executives should be asking today.
The second question looks to the future. In an M&A situation, that future is sitting in your environment. Even if you’re not taking on the acquired company’s cybersecurity processes, technologies, or resources, it’s a good idea to understand how well cybersecurity is engrained in their corporate culture. More often than not, however, some of these processes and technologies come across in the transition. We recommend assessing the current capabilities of the company being acquired. Not only will it pinpoint potential risks, but it also helps the acquiring organization identify strengths that can be leveraged as well.
CrowdStrike offers a cybersecurity maturity assessment to help organizations answer this second question. Through an assessment of people, processes, and technologies related to the primary cybersecurity capabilities of a company, we provide a maturity score in each area. This score is partnered with a view into the maturity level of others in your industry. What’s the value in this during an M&A transaction? Most organizations want to know if they’re taking on an immature cybersecurity program or a best-in-breed company. As an adversary, it’s a lot easier to compromise the companies at the bottom of the maturity scale.
Putting It All Together
Just recently, we worked with an organization who was experiencing a serious malware outbreak. The network that was compromised was in the process of transitioning over to an acquiring company. Our role was to help eradicate the infection prior to the transition so the receiving company did not take on unnecessary security risk. If, however, the malware had been sitting idle in the network until after the transition was complete, the acquiring organization would have had a serious problem to deal with. Moving forward, the acquiring organization and others in their position should consider the M&A Cyber Risk Assessment program as a way to avoid this type of negative outcome.
With all of the other risk calculations and analysis that occur during a standard M&A transaction, it seems irresponsible in today’s business operations to ignore one of the biggest threats facing companies today. Executives and board members are finally starting to understand the importance of cybersecurity within their organizations on a day-to-day basis. Why wouldn’t they also pay attention to this pivotal area when acquiring another company? As the threat landscape has changed, so must our approach to cybersecurity risk surrounding M&A transactions.