.avif)
While most organizations perform IT due diligence when considering a potential merger or acquisition, many companies neglect cyber due diligence investigations. In practice, merging companies opens major vulnerabilities because transitional, patchwork systems create blind spots, which threat actors can exploit to infiltrate organizations, access sensitive data, and incur financial losses.
IBM found that more than one in three executives experienced data breaches during M&A activities. These can have significant impacts, especially if they involve publicly traded companies with media attention or violate data privacy regulations and disclosure laws. Perhaps the most publicized incident involved Verizon’s acquisition of Yahoo in 2017, uncovering previously undisclosed data breaches.
Besides the potential for data loss, when a company introduces new assets from a merger or acquisition, it also inherits the other company’s vulnerabilities. This can lead to overvaluation and extended costs for the acquirer as it scrambles to upgrade the other company’s security posture, which in turn affects the deal value or can cancel the deal altogether.
Similar visibility issues arise with subsidiaries. For example, there may be a reluctance to implement group policy at the local level, which can expose the larger organization, as the overall security posture is only as strong as the weakest link. Visibility into the attack surface and security posture of subsidiaries is vital for security teams to define unified directions for their group security program.
Whether undergoing M&A activities or not, businesses today commonly lack centralized IT infrastructures due to business expansion and partnerships. While this helps businesses take advantage of economies of scale, patchwork systems force security teams to graft various IT estates onto existing infrastructure and make it harder to manage the entire company’s attack surface.
Reducing Risk During M&A Activities
Before implementing new controls over acquisitions and subsidiaries, security teams must understand their companies’ ever-evolving digital infrastructures. Boards are increasingly asking “What is our exposure?” and CISOs should be able to understand the relevant risks at any given time, at a glance.
With any M&A, there are two categories of threat vectors to monitor. First, new external facing assets will bring new points of entry into the organization. During onboarding, the digital infrastructure may gain open ports, internet-facing assets, IoT devices with factory settings for usernames and passwords, and other vulnerable technologies.
Second, new internal attack paths emerge, which can lead attackers to sensitive data and assets. There will be new relationships between users and devices across the entire organization, and these additions may bypass existing security measures.
Additionally, during times of massive onboarding or when dealing with different points of contact at a subsidiary, employees can struggle to distinguish between friend and foe. Automated phishing emails to the entire workforce fall short of effective security awareness training. Social engineering attacks will leverage existing relationships and periods of transition to deliver believable calls to action.
The Power of Darktrace
Darktrace was built to help security leaders harden their defences and answer the question: “Where is the best place to spend my security resources?” Proactive risk reduction cannot be a one-time or yearly exercise, and PREVENT enables continuous, systematic monitoring that assists with both M&A due diligence and subsidiary security policies.
Darktrace / Attack Surface Management™ leverages AI to identify an organization’s entire external attack surface, using only the brand name as input. This gives security teams the ability to see their companies and subsidiaries through the eyes of an attacker, enhancing visibility and identifying vulnerabilities.
Customers can use ASM to research the attack surface of businesses they are acquiring as part of the cyber due diligence to identify strategic deal issues, hidden costs, and operational risk. After an acquisition, PREVENT/ASM can also identify IT heritage. Similarly, it can be used to monitor the attack surfaces of a company’s subsidiaries.
Darktrace / Proactive Exposure Management™ uses the AI’s understanding of an organization’s internal digital infrastructure to see how threat actors can move once they infiltrate, revealing possible attack paths and the most vulnerable junctures leading to critical assets.
Proactive Exposure Management helps identify how M&A integrations impact the digital infrastructure to ensure that no external employees, accounts, or devices are sitting on critical attack paths that lead to high-value assets. Proactive Exposure Management will also test existing security controls by emulating attacks to identify blind spots and pinpoint areas to prioritize risk-reduction efforts. To aid in security awareness training, Darktrace will craft sophisticated phishing emails to teach employees how to distinguish friend from foe.
Darktrace / Proactive Exposure Management provides visibility and hardening for systems inside and out to reduce risk surrounding M&As and subsidiaries. Since PREVENT’s monitoring is continuous, it enables security teams to stay informed throughout dynamic transitions. This continuity also builds risk-over-time reporting and audits, which are particularly useful if boards demand proof of value as they tighten budgets in the face of increasing operational costs.
