There is always the risk that sensitive data will be exposed during mergers and acquisitions. Throughout the M&A process, you’re adding new ways for hackers to enter your systems, enabling them to access sensitive customer information. This is because the merging of companies usually results in an increase in the attack surface, therefore, increasing the number of unknown security risks the acquiring company is unaware of.

The numbers don’t lie. In 2019, the IBM Institute for Business Value surveyed 720 executives responsible for the M&A functions at acquiring organizations. More than 1 in 3 experienced data breaches that were attributed to M&A activity during integration. Almost 1 in 5 experienced such breaches post-integration. 

There are a number of mergers and acquisitions risks, including:

• Unsecured networks: If the company acquired has an unsecured network, this can give attackers access to sensitive data, potentially on both networks. Consequently, it’s essential to do a complete review of the infrastructure needed to run over their entire network. 
• Lack of security controls and increase in potential vulnerabilities:  There is a gap in the assessment of the involved entities’ information and cybersecurity postures, as well as the implied risks to the organization acquiring it. If the acquired company lacks adequate security controls, it can make it easier for attackers to exploit vulnerabilities and increase the risk that threat actors will seize the opportunity to attack.
• Increased attack surface: One of the biggest dangers of an M&A deal is the increased attack surface that comes with it. In M&A deals, companies’ networks and systems become interconnected, creating new opportunities for cybercriminals to exploit. Additionally, app security issues include unmaintained digital assets, cloud products and device web interfaces. This is why it’s critical for companies to have strong attack surface management strategies in place before entering into a merger or acquisition.

Undoubtedly, a poor cybersecurity posture can slow down the company’s acquisition process or create issues for organizations after the acquisition is completed. Even high-profile M&A transactions aren’t immune to cybersecurity incidents.

For example, data security incidents at Yahoo! were discovered before the completion of Verizon’s $4.83 billion acquisition, resulting in a $350 million reduction in the purchase price. Yahoo! was also liable for costs resulting from the incidents. Additionally, a few months after Paypal acquired TIO Networks in July 2017, PayPal suspended operations at TIO after an ongoing data breach was discovered by investigators impacting 1.6 M users. 

Google also joined the list of companies adversely affected by cybersecurity incidents after a major XXE issue was found, which may have given access to half a million Google+ users’ private data. Detectify security researcher Fredrik Almroth, who notified Google about the vulnerability, said in his report that Google paid a sum of $10,000, which is what the actual business cost would have been if an attacker had found it. 

If tech titans like Google, PayPal and Yahoo! can be a target, it’s easy to see why companies must develop an External Attack Surface Management (EASM) strategy when executing mergers or acquisitions. This strategy should include plans for securing all data, systems, and networks involved in the merger or acquisition. By taking these precautions, companies can help keep their data safe and secure.

How EASM helps with unknown unknowns

By addressing potential vulnerabilities, security teams can identify issues, often in production, and mitigate them before they are taken advantage of. 

A robust EASM programme entails businesses inventorying all digital and data assets to fully understand the security risk of merging or acquiring another corporation. Understanding these objects and keeping a detailed inventory of them allows full disclosure of the associated risks so your teams can make better decisions about how you prioritize resources.

Asset discovery and inventory

Acquiring companies should be asking: 

• What is the security program for the company we’re acquiring?
• What is the security maturity of the organization we’re acquiring? How do they operate?
• Do they have an inventory of their digital assets? Do they know how exposed their assets are?
• Do they monitor their assets for things like open ports, IPs, DNS?

Security as enablers, not blockers 

A good EASM solution allows you to segment parts of the attack surface to the appropriate team and those teams should be able to use the tool, as well as the API. 

Detectify played a key role in the security strategy during the M&As at Visma. “This is the main ROI when certain development teams get valuable information and can strengthen their security,” Catalin Curelaru, Security Triage Lead at Visma, said. 

Ultimately, when it comes to cyberattacks, the best offense is a good defense. By being aware of these common cyberattacks and putting strategies in place to protect against them, organizations signing an M&A deal can drastically reduce the likelihood of a breach. 

It is hard to keep up with the constant feed of new public vulnerabilities, possible misconfigurations and update vital services in a timely manner – especially when you’re not aware of the vulnerabilities and looming threats present on your or the other companies’ attack surface. Assuring service continuity is a very costly process, and not all vulnerabilities have the same level of criticality. EASM tools can help simplify this task by shining light on the presence of actually exploitable vulnerabilities on the perimeter. 

Detectify customers maximize value during M&A deals

While it is easy to make forward-looking plans on paper, the reality of implementing a successful security strategy during an M&A deal can be slow and frustrating.

When it comes to protecting the external attack surface or your web applications when merging with another company, you need a modern security toolbox that leverages crowdsourced security to help you continuously monitor and scan your assets for anomalies. 

Detectify Surface Monitoring and Application Scanning leverage the Crowdsource community of over 400 handpicked ethical hackers who monitor your inventory and dispatch alerts in real-time. See what Detectify will find in your attack surface with a free 2-week trial. Go hack yourself!