Mind the (Security) Gap: ASM as a Critical Function During Mergers & Acquisitions
A PWC report on global M&A trends for 2020 noted that the “pandemic and recent geopolitical developments have already led most companies to the same conclusions, pushing both deal volumes and values higher … particularly for digital and technology assets”. In this blog, I will highlight key benefits of attack surface management when it comes to large business changes like mergers and acquisitions. My goal is to provide information that gives business leaders and decision makers a better understanding of cybersecurity risks that your company will be faced with when acquiring another company.
In the past, acquiring companies would deeply review the fundamentals of a target acquisition. These fundamentals consisted of the company’s financials, consumer sentiment of the brand, the products, and the services offered. All of these are fundamental to the strategy, or what I like to call the “so what”, of the acquisition. Cybersecurity wasn’t even a forethought in the process for a majority of deals during and prior to dot com era.
Fast forward to today and we have moved into an era where you aren’t buying a company, but rather the reality is you are buying the data. With that data comes data security concerns which you are also signing up to buy. Unknown breaches of the past, current compromised networks, and future results of poor cybersecurity practices are all part of a worst-case scenario that we must measure against when going through this process. Part of your due diligence during an acquisition today MUST involve understanding the security posture and risk of an organization you don’t have inside knowledge of yet. Gartner reported by 2022, 60% of organizations engaging in M&A will consider cybersecurity as a critical factor.
The biggest challenge is knowing if the organization you are acquiring is already compromised. You do not want to provide a potential threat actor lurking in the company you are acquiring a free pass into your network. Discovering that an organization is already breached can really muddy the waters by lowering the value of the deal. You will take on the hidden security debt of breach response, unknown cost of brand damage, and future legal impact. A well-known example of this is the Yahoo breach that Verizon became aware of during the due diligence phase. The compromise at Yahoo was very costly to Verizon. It resulted in Verizon lowering the buying price by 350 million dollars which seems like a savings yet was not. After closing the acquisition, Verizon settled in the courts for 117.5 million dollars, had to agree to spend 306 million dollars on information security for the years of 2019 – 2022, and agreed to quadruple Yahoo’s staffing in security.
The next greatest cybersecurity concern during an M&A is discovering what assets you are inheriting, their level of risk, and whether your team has appropriate processes in place for identifying and remediating those risks. Using an attack surface management platform such as the Censys ASM Platform can easily help you determine if the hygiene of an acquisition target is sufficient. You can become keenly aware of security gaps by discovering exposed ports hosting protocol(s) and/or services that present an obvious risk. For example, if you find databases exposed you might want to include questions in your disclosure process around how those databases are protected (considering they are accessible from outside the firewall). Perhaps you find a sprawl of web server software running on various versions, some of which are expired. This is indicative of poor asset management and cybersecurity hygiene, as well as a lackluster vulnerability and patch management strategy.
Lastly, there are some not-so-obvious findings that when paired with the information we discussed earlier can arm you with the intelligence you would need to price your offering accordingly and to truly understand the business risk from a financial perspective. For example, let’s say an organization creates web content for a short period of time, maybe for marketing, or a developer provisions a testing environment. They then leave the site up or provisioned service, it becomes a forgotten asset but ends up a security risk to the organization because it was perhaps outside of the sanctioned IT environment and controls. This kind of security risk is one that the target acquisition company is unaware of and therefore can’t disclose. Only through doing the work to get the attacker’s perspective would the acquiring company be aware of this risk.
Another very common example, however we don’t have a clear way of dealing with it, has to do with the cybersecurity skills gaps we are all faced with today. There just are not enough people to fill the required roles for most companies to have a good security posture. This leads to the existing staff being stretched thin and under the needed capacity. Mistakes can and will be made. You may not have the right staff, or frankly enough staff, in place to properly conduct a cybersecurity assessment for acquisition. Offloading this part of the cybersecurity assessment to a solution like Censys will immediately help address the skills shortage and knock out what would take a person weeks, if not months, truly in a matter of days.
Attack Surface Due Diligence for Successful Mergers and Acquisitions
So how do you go about ensuring what you are buying is secure? Looking at the company’s attack surface yourself during the due diligence process can help you verify what you are acquiring and potential issue areas that could cost you down the road. You will know the number of external assets and the type of risk those assets expose by pairing a risk framework against open ports, accessible protocols, live services, and any associated known common vulnerabilities.
Traditionally, people who do the work for mergers and acquisitions are often not cybersecurity experts. This is a very extensive process where you can actually partner with Censys to help you along this journey. Using the Censys Attack Surface Management Platform, you can automate an outside of the firewall view which immediately translates into cost savings of engineering resource time while exposing hidden risks. The benefit of reviewing the attack surface of a company you are acquiring will help you ensure the right price, the true cost, and benefit the overall merger or acquisition.
For more information about how Censys ASM Platform can support your acquisition needs, contact us today for a demo!
Alexis Culp is a Principal Solutions Engineer at Censys. She holds a Computer Science degree with honors from the University of California, Santa Cruz. She is an active member in WiCyS and is currently the Program Chair for WiCyS Oregon Affiliate. She believes an organization of any size can have a defensible network if they invest in three important components: a reliable technology stack, relevant threat intel, and people with a passion for what they do.