Cybersecurity is one of the last things on upper management’s radar during a merger or acquisition, but it should be one of the first considerations. “Companies that are being bought and sold are often prime targets for cyberattacks,” explained Jim Crowley, CEO of cybersecurity solutions provider Industrial Defender, during an email question-and-answer session. “However, by enacting Operational Technology security measures, organizations can avoid an exciting company milestone becoming an infrastructure and security nightmare.”
To learn more about this overlooked vulnerability, Crowley answered the following questions.
SEE: Checklist: Mergers & Acquisitions (TechRepublic Premium)
Why are cybercriminals targeting companies undergoing a merger or acquisition (M&A)?
Crowley: They are attacking these companies for the same reason people used to rob banks: it’s where the money is. If you sold a business to a large company or a private equity firm, they would have a lot more resources to pay up than if you were a smaller stand-alone organization without a strong balance sheet.
Something else to consider is the nature of M&A. New ownership and management teams transitioning in or out of their roles, present opportunities for cybercriminals to attack while businesses are in this transitional phase.
Can you provide a detailed scenario of what this type of cyberattack would look like?
Crowley: Sure, a cyberattacker may be tracking M&A activity through publicly available information and then researching what level of defense the target has in place. It’s pretty simple via standard social-media tools to profile how many information-security people are on staff or what tools they may have in place. If it appears there is no infosec function, the company may be that soft target cybercriminals are seeking.
The cybercriminal could use a variety of methods to get into the network. A phishing attack via email is a pretty common and effective approach. Once they have found credentials to access systems, they can move around the networks and applications to determine where the most sensitive data is.
If it’s an intellectual property attack, they may steal product designs, pricing information or other sensitive business information and leave without anyone knowing there was a breach. In the case of ransomware, they will obtain access to sensitive files, encrypt them—so applications and business processes stop working—and demand a ransom payment from the company to regain access to the files.
Why aren’t more companies aware of the increased likelihood of a cyberattack during an M&A?
Crowley: It’s embarrassing to report this type of cybercrime. It could damage the company brand, customer relationships and put the business in a poor competitive situation when trying to merge a business or execute on a new ownership arrangement, so there is a reluctance to share the company’s “dirty laundry.”
What steps can businesses being acquired take to mitigate cyber threats?
Crowley: The first step, if it is not already in place, is to have an incident response plan. Having a checklist of who to call and what resources those responsible for cybersecurity will need to clean up the mess will help them get through the process faster and with less impact than if they need to spend the first 24-72 hours figuring out what needs to be done.
SEE: Incident response policy (TechRepublic Premium)
The second step is to ensure existing cybersecurity tools and processes are working and up to date before announcing the M&A. For example, ask the following questions:
- Are appropriate security controls in place?
- Are those responsible well versed in cyberattack detection and remediation?
- Are processes in place to notify all employees that cybercriminals may be targeting the company’s digital assets?
The reasoning behind this is to determine if any significant gaps need to be remediated before proceeding.
Don’t present the company as a soft target. Be aware that the company may be on a criminal’s radar screen. If possible, have all cyber defenses in place before going public with the merger. The merger press release may feel good, but if cybersecurity is substandard, it might be best to hold off until the companies are in a better cybersecurity position and have beefed up cyber defenses.
What steps can companies acquiring a new organization take to mitigate cyber threats?
Crowley: Those responsible should ask if there is a cybersecurity program in place and how the program measures up with an appropriate standard. Many companies have adopted the NIST Cybersecurity Framework or the CIS Controls standard.
Do they have a CISO in place or an equivalent CISO-as-a-service? If it appears that there has been limited investment in cybersecurity, they may want to have an assessment done before deal closure to determine what investments are required to mitigate cyber risk to the acquiring company.
What are the potential impacts of a cyberattack during an M&A?
Crowley: Some of the potential impacts would be loss of intellectual property that sets up a competitor, or a nasty surprise after the deal is complete that includes paying out a substantial ransom, plus the associated costs of remediation, legal, staff time, and revenue loss, while trying to transition the company to new ownership.
There are many things to consider during M&As, and working through a cyberattack should not be one of them. Having all parties prepared with regards to cybersecurity—before publicly announcing the merger or acquisition—should force cybercriminals to look elsewhere.