Mergers & acquisitions: a lesson in cyber-security complacency and reputational ruin

When you undertake an acquisition, cyber-security must be a top integration priority. If left to fester, it will eventually catch you out says Ian Kayne.

Ian Kayne, cyber-security practice lead, Mason Advisory
Ian Kayne, cyber-security practice lead, Mason Advisory

Complacency is the arch-enemy of cyber-security. While no amount of investment can guarantee 100 percent protection from cyber-attacks, organisations that are consistently vigilant and understand that the devil is in the detail will always be ahead in the safety stakes.  This is especially the case over the course of a merger or acquisition. 

Data breaches often serve to spotlight the critical importance of getting the fundamentals right. Security technology and the threat landscape might have changed dramatically over the past decade or so, but organisations are still vulnerable to old flaws. Outdated insecure infrastructure, inherited through acquisition, will leave the company open to attack later if left unaddressed.

Complacency over these inherited systems is a key factor in the persistence of old, exploitable, yet easily preventable security vulnerabilities, as TalkTalk discovered. Simple, well-known attack techniques such as SQL injection can be used by hackers, allowing them to make their way into back-end databases and extract confidential information through vulnerable web pages and databases. All they need to do is input a simple string of text designed to trick the system into running arbitrary commands. This is a basic problem caused by a lack of user input validation, which has been around for years – but it still happens and can be avoided. Penetration tests and external audits of a company's web apps can detect vulnerabilities like these, and secure coding standards with testing and auditing before ‘go live' can prevent them from occurring in the first place.

These types of hacks are completely preventable if basic steps are taken to protect customer data. A thorough audit of the infrastructure at the point of acquisition will reveal if vulnerable pages exist or if pages enable insecure access to a customer database. A comprehensive audit will also help identify whether your database software is outdated or contains an unpatched vulnerability that allows access controls to be bypassed – and give you the opportunity to apply a fix. It will also help to highlight areas where additional controls are required, such as the need to encrypt confidential customer information. 

IT systems management at the point of a merger must pose the question: how can we protect our information assets if we don't know exactly what they are, where they are stored, and how they are used? An information asset register and data classification is, therefore, a business prerequisite. Further, a configuration management database (CMDB) should also be put in place, along with a policy for end-of-life management, vulnerability patching and upgrades. 

The potential threat posed by a cyber-attack will be different for different industries, so the scale of protection required will be determined by what is at stake and the company's risk policy. A pharmaceutical business needs to protect its intellectual property for example, and a utility company must make sure the lights stay on.

No organisation can be 100 percent cyber secure: if someone is dedicated and determined enough, they will find a way in. But there is no excuse for making it easy, and if you become complacent that is exactly what you do.

The integration of cyber-security between two organisations during a merger and acquisition not only needs to take place, but should be treated as an essential requirement that is every bit as important as strategic leadership integration. It should begin with a responsive provisional plan that provides only the necessary access for employees and controls data fully. It should also include a root-and-branch security audit to comprehensively identify risks and vulnerabilities that may pose a threat, post-integration. Threats that were around 10 years ago are still out there. No organisation can afford to overlook them. 

TalkTalk – Commercial Complacency and Reputational Ruin

TalkTalk was fined a record £400,000 by the Information Commissioner's Office (ICO) for security failings that allowed hackers to access the personal data of 156,959 customers, including the bank account details of 15,656 people, a year ago.

It lost 101,000 customers because of the SQL injection attacks on vulnerable unpatched databases acquired from the merger with Tiscali, although business has now returned to normal. The data breach cost it up to £60 million. The company's experience underscores just how real the risks are for major organisations.

Contributed by Ian Kayne, cyber-security practice lead, Mason Advisory

Sign up to our newsletters