Sapsiwai - Fotolia
Cybersecurity testing essentials for mergers and acquisitions
Before moving forward with an M&A, conduct some cybersecurity testing to ensure your company knows how the acquired company protects data, employees and customers.
Mergers and acquisitions (M&A) are an important part of an enterprise's growth, but with these transitions comes the potential for greater security risks. The more an organization intertwines its data and processes with another organization or third-party software or service, the greater the risk of introducing potential backdoors, spyware or subpar security practices into your business, as evidenced by many recent headlines. As companies venture into the unknown in terms of people, infrastructure, supply chains and technology partners, they should prioritize security throughout the entire M&A process to ensure that the transition is as risk-free as possible.
Though sometimes treated as a checkbox exercise, cybersecurity testing is an essential part of a merger or acquisition, and how businesses carry it out can ultimately make or break the deal's success. Companies must do their due diligence, conduct the right security tests and be cautious when considering any consolidations. Let's take a closer look into how this can be achieved.
Do your due diligence
When embarking on the M&A due diligence process, there are a few areas a company needs to examine from a data security perspective. One of the first steps is finding and securing your most valuable resources, which in most cases is the organization's intellectual property (IP). Likely a large reason why your company is choosing to merge with or acquire another is that their IP will bring value to your business. As such, security practitioners should dedicate most of their focus and resources to protecting this IP and keeping it from the public domain.
Next, look at data security from the standpoints of both the attacker and defender. Determining what data an attacker is most likely to pursue is key for establishing a security testing plan. Consider how your organization looks from the outsider's perspective and protect sensitive information that could be exposed, such as important data stored in databases or trade secrets shared over email.
Find out what kind of security measures the company you're looking to merge with or acquire has in place. Are they performing regular vulnerability assessments and penetration tests? Do they have strong email security practices in place? Have they examined their own databases and cloud configurations for security vulnerabilities at a granular level? These are the kinds of questions your company should ask while completing due diligence to eliminate potential security risks down the road.
Conduct the right security tests
When it comes to security testing, there is no one-size-fits-all approach. Determine your organization's own testing level based on your criteria for security best practices and make sure that the tools, practices and processes you bring in from the other organization are up to your standard. For example, find out whether the organization you're acquiring is proactively hunting for threats, and if they have a program in place to effectively take in and respond to those threats.
Another good way to determine what tests are needed is by looking at your own IP and working backwards, examining what systems your data resides in, what controls you have around it, and how to test to make sure they are working. Three essential security tests any organization should run during the M&A process include vulnerability assessments, penetration tests and red and purple team tests:
- Vulnerability assessments. These are a proactive approach to exposing and eliminating threats. Whether it's testing databases, networks or applications, vulnerability assessments are key to keeping your networks safe, particularly when most of the workforce is now working from home during the pandemic.
- Penetration tests. These are effective for finding and dismantling potential risks. Through ethical hacking and testing application security, you can discover any potentially harmful threats, which will help you know ahead of time if there are any risks or liabilities before you complete the M&A.
- Red and purple teams. These are great resources for identifying and defending against potential threats. Red teaming is an adversarial approach, finding vulnerabilities by accessing the company's more sensitive data. Conversely, purple teaming is more cooperative in nature, designed to help organizations grow and defend their own environments through attackers and defenders fine-tuning responses to well-established tactics and techniques.
These three tests are essential for enterprises considering mergers and acquisitions, as they can help spot vulnerabilities and allow your organization to assess the risks associated with the M&A. This gives you time to evaluate if your organization should move forward with the process or not.
Does your company cybersecurity culture align with the other?
In addition to the tests described above, make sure the security culture of the company you are considering merging with or acquiring is aligned with your own. Culture is an important but often overlooked component of M&A success. Regardless of the organizational culture, every company should, at a minimum, be conducting security awareness training on a regular basis and following security best practices established by NIST standards as a baseline, such as having employees use multifactor authentication when accessing the company network and using a VPN when working remotely.
By doing your due diligence, conducting the right cybersecurity tests and following security best practices, you can help reduce the risk associated with M&As and ensure continued growth and success.
About the author
Mark Whitehead is the global vice president of SpiderLabs Consulting Services at Trustwave. His responsibilities include setting the strategy and directing delivery for all Trustwave's portfolio of testing services for Canada, the United States, as well as Latin and Central America. Mark possesses over 16 years of experience in the cybersecurity field with 10 years of leadership and management experience.