Companies are susceptible to imaginable cyberthreats during mergers and acquisitions; larn from an adept wherefore and however to trim information risks during the transition.
Cybersecurity is 1 of the past things connected precocious management's radar during a merger oregon acquisition, but it should beryllium 1 of the archetypal considerations. "Companies that are being bought and sold are often premier targets for cyberattacks," explained Jim Crowley, CEO of Industrial Defender, during an email question-and-answer session. "However, by enacting Operational Technology information measures, organizations tin debar an breathtaking institution milestone becoming an infrastructure and information nightmare."
To larn much astir this overlooked vulnerability, Crowley answered the pursuing questions.
SEE: Checklist: Mergers & Acquisitions (TechRepublic Premium)
Why are cybercriminals targeting companies undergoing a merger oregon acquisition (M&A)?
Crowley: They are attacking these companies for the aforesaid crushed radical utilized to rob banks: it's wherever the wealth is. If you sold a concern to a ample institution oregon a backstage equity firm, they would person a batch much resources to wage up than if you were a smaller stand-alone enactment without a beardown equilibrium sheet.
Something other to see is the quality of M&A. New ownership and absorption teams transitioning successful oregon retired of their roles, contiguous opportunities for cybercriminals to onslaught portion businesses are successful this transitional phase.
Can you supply a elaborate script of what this benignant of cyberattack would look like?
Crowley: Sure, a cyberattacker whitethorn beryllium tracking M&A enactment done publically disposable accusation and past researching what level of defence the people has successful place. It's beauteous elemental via modular social-media tools to illustration however galore information-security radical are connected unit oregon what tools they whitethorn person successful place. If it appears determination is nary infosec function, the institution whitethorn beryllium that brushed people cybercriminals are seeking.
The cybercriminal could usage a assortment of methods to get into the network. A phishing attack via email is simply a beauteous communal and effectual approach. Once they person recovered credentials to entree systems, they tin determination astir the networks and applications to find wherever the astir delicate information is.
If it's an intelligence spot attack, they whitethorn bargain merchandise designs, pricing accusation oregon different delicate concern accusation and permission without anyone knowing determination was a breach. In the lawsuit of ransomware, they volition get entree to delicate files, encrypt them—so applications and concern processes halt working—and request a ransom outgo from the institution to regain entree to the files.
Why aren't much companies alert of the accrued likelihood of a cyberattack during an M&A?
Crowley: It's embarrassing to study this benignant of cybercrime. It could harm the institution brand, lawsuit relationships and enactment the concern successful a mediocre competitory concern erstwhile trying to merge a concern oregon execute connected a caller ownership arrangement, truthful determination is simply a reluctance to stock the company's "dirty laundry."
What steps tin businesses being acquired instrumentality to mitigate cyber threats?
Crowley: The archetypal step, if it is not already successful place, is to person an incidental effect plan. Having a checklist of who to telephone and what resources those liable for cybersecurity volition request to cleanable up the messiness volition assistance them get done the process faster and with little interaction than if they request to walk the archetypal 24-72 hours figuring retired what needs to beryllium done.
SEE: Incident effect policy (TechRepublic Premium)
The 2nd measurement is to guarantee existing cybersecurity tools and processes are moving and up to day earlier announcing the M&A. For example, inquire the pursuing questions:
- Are due information controls successful place?
- Are those liable good versed successful cyberattack detection and remediation?
- Are processes successful spot to notify each employees that cybercriminals whitethorn beryllium targeting the company's integer assets?
The reasoning down this is to find if immoderate important gaps request to beryllium remediated earlier proceeding.
Don't contiguous the institution arsenic a brushed target. Be alert that the institution whitethorn beryllium connected a criminal's radar screen. If possible, person each cyber defenses successful spot earlier going nationalist with the merger. The merger property merchandise whitethorn consciousness good, but if cybersecurity is substandard, it mightiness beryllium champion to clasp disconnected until the companies are successful a amended cybersecurity presumption and person beefed up cyber defenses.
What steps tin companies acquiring a caller enactment instrumentality to mitigate cyber threats?
Crowley: Those liable should inquire if determination is simply a cybersecurity programme successful spot and however the programme measures up with an due standard. Many companies person adopted the NIST Cybersecurity Framework oregon the CIS Controls standard.
Do they person a CISO successful spot oregon an equivalent CISO-as-a-service? If it appears that determination has been constricted concern successful cybersecurity, they whitethorn privation to person an appraisal done earlier woody closure to find what investments are required to mitigate cyber hazard to the acquiring company.
What are the imaginable impacts of a cyberattack during an M&A?
Crowley: Some of the imaginable impacts would beryllium nonaccomplishment of intelligence spot that sets up a competitor, oregon a nasty astonishment aft the woody is implicit that includes paying retired a important ransom, positive the associated costs of remediation, legal, unit time, and gross loss, portion trying to modulation the institution to caller ownership.
Final thought
There are galore things to see during M&As, and moving done a cyberattack should not beryllium 1 of them. Having each parties prepared with regards to cybersecurity—before publically announcing the merger oregon acquisition—should unit cybercriminals to look elsewhere.
Cybersecurity Insider Newsletter
Strengthen your organization's IT information defenses by keeping abreast of the latest cybersecurity news, solutions, and champion practices. Delivered Tuesdays and Thursdays
Sign up todayAlso spot
- Risk absorption policy (TechRepublic Premium)
- OWASP updates apical 10 database with decades aged information hazard successful #1 spot (TechRepublic)
- How to go a cybersecurity pro: A cheat sheet (TechRepublic)
- Social engineering: A cheat expanse for concern professionals (free PDF) (TechRepublic)
- Shadow IT policy (TechRepublic Premium)
- Cybersecurity and cyberwar: More must-read coverage (TechRepublic connected Flipboard)