alphaspirit - Fotolia
According to recent Thomson Reuters data, a rebounding global economy has led to more corporate merger and acquisition activity than at any other time in the past seven years. While many executives are undoubtedly eyeing lucrative deals, information security experts say most enterprises make the vital mistake of ignoring security when entering the M&A process.
Case in point, a recent edition of the ICS-CERT Monitor -- a quarterly newsletter issued by the Department of Homeland Security (DHS) Industrial Control Systems Cyber Emergency Response Team -- detailed an incident involving the compromise of a "large critical manufacturing organization by multiple sophisticated threat actors over a period of several months." An investigation of the breach by ICS-CERT uncovered evidence of compromised hosts, lateral movement across the company's network by attackers and compromised domain accounts.
What made the intrusion difficult to detect, ICS-CERT noted, was that the victim organization was a "conglomeration of multiple companies" resulting from a series of acquisitions. The subsequent computer network mergers that accompanied the corporate acquisitions led to the introduction of several network security weaknesses, while simultaneously reducing network visibility for the IT security team.
"The organization has over 100 entry/exit point connections to the Internet, complicating the implementation of network boundary protections," read the ICS-CERT Monitor. "In this situation, re-architecting the network is the best approach to ensure that the company has a consistent security posture across its wide enterprise."
Security oft forgotten in M&A process
While the ICS-CERT warning was limited to a single manufacturing organization, experts told SearchSecurity that it's a rare occurrence for information security to be considered during a corporate merger or acquisition.
Brian Honan, owner and CEO of Ireland-based BH Consulting Ltd., said that in his 25 years working in the security industry, he's come across countless situations similar to the one described by the ICS-CERT. Honan said it can be a particularly vexing challenge for large enterprises, as the difficulties involving in merging networks and corporate security cultures into a single environment can be overwhelming.
Shawn Henrypresident, CrowdStrike Inc.
"If you're a larger company with a very mature information security management framework, and you're taking over a startup, for example, that startup may not have embedded security processes in place," said Honan. "If you're buying a software product, they may not have even done a security review of their application's code."
Shawn Henry, president of the services division for Irvine, Calif.-based CrowdStrike Inc. and former executive assistant director of the FBI, said that in both his private- and public-sector roles, he has emphasized the importance of conducting a thorough network security assessment as part of the M&A process.
On several occasions, Henry said, CrowdStrike experts have seen evidence that attackers are actively targeting enterprises involved in M&A deals. Those hackers, backed by the Chinese government, are particularly interested in any deals occurring between companies within the country.
Henry also noted that he has witnessed corporations complete deals based on the acquisition of valuable intellectual property, only to find that attackers have already compromised the IP and degraded the value of the acquired entity.
Still, despite repeated warnings and ample evidence illustrating the consequences of inaction, Henry said he's never seen a company thoroughly assess the security risks involved with M&A activity.
"Companies are acquired every single day and literally plug them into their own networks, but there is little to no assessment of their network security at all," said Henry. "To me, it's the equivalent of buying a house without having a termite inspection done. I don't know a lot of people [who] would do that, yet that's exactly what happens.
"I think that there is still a lot of reluctance, either because people don't sense it as a high priority," Henry added, "or perhaps they're not going to be around long enough to deal with the impact, and sometimes it's more important to beat the quarter than think long term."
For successful network mergers, consider security from the start
Though enterprises ignore security when conducting M&A deals, both Henry and Honan expressed hope that recent high-profile security incidents like the data breaches at Target and Home Depot would generate more interest in security from executive boards. That would mean assessing the security of a potential M&A target from the beginning of any deal.
For a company doing the acquiring, Honan stressed that the CISO should be involved in any potential acquisition as soon as possible. The CISO should interface with executives to understand what valuables need to be protected when bringing a separate network on board, Honan said, and determine what new risks may be introduced by the acquired organization.
Honan said the most important factor to consider in such situations is whether the target has given due diligence to security. That may include the implementation of security technologies, he said, but more so, that the acquired company has properly assessed the value of its assets and put processes and staff in place to protect those assets.
"Is it their customer list? Is it their reputation? Is it their intellectual property? Have they got people that are properly trained in security?" Honan asked. "It's like going and buying a car. The dealer is going to tell you all the fantastic things that the car is, but you need to make sure someone checks out the engine, the undercarriage and the history of the car to make sure it hasn't been damaged or stolen. It's the same thing when you're vetting a company."
Henry agreed that security should play an integral role from the beginning of the process, and that companies should perform a complete network security assessment of any target prior to acquisition, including evaluating hardware, software, network architecture, how data is stored and the people and processes in place to protect that data.
Even in cases where an acquisition or merger has already gone through, there are still steps that organizations can take to ensure the security of the merging networks. In the case of the aforementioned manufacturing conglomerate, DHS advises similar organizations to immediately move to limit the number of Internet connections on the converged network -- a strategy that Henry considered to be a rudimentary but effective way to limit risk. The federal government has been working for many years to reduce its number of external Internet connections from 8,000 to fewer than 100 in order to limit potential points of ingress for attackers.
Organizations should also take stock, just as they would before an M&A deal, Henry said, by evaluating all the valuable IP and other assets in the newly combined entity. The measure should particularly extend to network's architecture and the equipment being added to the environment, he noted.
"I've dealt with companies that have done acquisitions years in the past and they still don't have any idea what's out there," said Henry. "They don't know where whole subnets are on the network. There are boxes that are out there, servers that are out there, whole segments of networks out there that they don't have any visibility into because they've never done a thorough evaluation or assessment."
Beyond managing threats, there are regulatory concerns when completing M&A deals. Read through this HIPAA compliance checklist to make sure your organization isn't running afoul of regulatory bodies during a merger.t