Making cyber-security due diligence an M&A priority
Shawn Henry explores the potential security pitfalls involved when companies make an acquisition, along with the steps that must be taken to mitigate these risks
Shawn Henry, president and CSO, CrowdStrike
Last year alone, M&A activity reached fever pitch, with the global market valued at over US$ 4 trillion (£2.8 trillion) - its highest since 2007. If 2016 follows suit, we're looking at more than 18,000 M&A events to occur this year, many of which may be “megadeals” exceeding US $50 billion (£35 billion). Furthermore, it's not just the global market that is booming, with the UK tipped as the top European target for inbound deals from emerging markets.
With this market opportunity reaching staggering heights, no company can afford to take on a partner organisation without exploring all the areas of risk involved. This involves much more than just the traditional financial calculations. Whether it's a large company acquiring a niche business that sits outside of current client offerings, or a smaller company partnering with another organisation to expand its footprint, businesses must prioritise security.
When organisations make an acquisition, they are essentially investing in the intellectual property and R&D of the proposed partner organisation. Typically, there are few individuals on the buyer side who truly understand the network systems they're about to purchase, which contain valuable IP. The integrity of this data must be assessed prior to an acquisition – and the team assessing it must be able to provide a level of scrutiny that ensures all areas are fully evaluated, diagnosed and proven secure. Currently this isn't a process that is routinely adhered to because companies lack clarity on what exactly they should be looking for, prior to a deal being finalised.
It's like buying a first home – typically the biggest personal investment an individual ever makes. When you are house hunting, you don't do it without some kind of guidance from an estate agent or a property manager who asks the important questions. M&A activity is no different, as it involves a significant business investment. You wouldn't make a home purchase without an inspection or without the guidance of a reputable source, so why would you accept less vigilance when it comes to your business? Being able to fully vet a target company's systems, data, and environment to assess and protect the valuable assets being acquired is essential.
Determining a partner's security profile begins with knowing what questions to ask. For starters, are there any vulnerabilities in the partner organisation that could be exploited to access your systems? And, how secure will the data be during the integration process? Has their network been compromised before and what are the security risks posed by merging both environments? Ultimately the assessment a business undertakes prior to any activity should aim to determine whether an organisation has the same level of security controls in place and meets their existing standards, even without absorbing their technological resources.
Working with a third party throughout this process can help businesses to explore these critical security questions and prevent the introduction of any unnecessary risk. This involves undertaking a comprehensive assessment to identify the gaps in security posture, examine security documentation, review IT processes, and conduct interviews with key staff to understand where cyber-security falls on their list of priorities. By doing so, the business can paint a full picture of what's being acquired, the intrusion detection controls in place and the current employee mindset on security. It also helps to determine what precautionary technical measures the business should take in terms of network-based monitoring for example, which helps provide visibility into potentially malicious traffic entering and exiting the networks.
Ultimately, the nominal cost of being proactive and predictive about security saves significant time and money in the long run. It's always harder and more expensive to react to something than preventing it from happening in the first place. The best protection method is having a team on hand to provide recommendations on how to prioritise resources based on the actual risk, create an implementation plan of effective detection measures, and have a comprehensive security strategy to actually prevent damage.
Contributed by Shawn Henry, president and CSO, CrowdStrike