This year, the world has experienced a mergers and acquisitions boom. The first half of 2021 saw an “epic” number of deals struck around the world, followed by a “frenzied summer” of M&A activity. Figures released in September showed that global dealmaking has surged to a record high of $3.9 trillion of deals — and the year is not over yet.
However, this apparently positive economic news comes with a technological sting in the tail. M&As can be extremely dangerous from a cybersecurity perspective, with organizations that buy other companies forced to take on the problems, vulnerabilities and risk profile of the business they acquire.
It’s almost inevitable that some of the companies that took part in the tremendous post-pandemic M&A boom will be sitting on a timebomb thanks to data security issues with the businesses they recently snapped up. This means security teams and CISOs must be proactive, taking action now to shut down issues before problems occur.
The Data Dangers of Mergers
Whenever a company buys another, the process almost always involves integrating systems and the transfer of data. Many organizations perform what’s known as a “lift and shift” when merging two companies, simply taking the data and moving it onto their servers. Unfortunately, this data is not always checked adequately and is often unstructured, which poses many risks. Some of the data could be exposed to employees and contractors who should not have access, for instance, increasing the possibility of insider threats. Unfortunately, mergers tend to cause redundancies, so leaving sensitive data wide open leaves a company at risk of being targeted by a disgruntled employee that has lost their job.
The data that organizations inherit during an M&A could also have broken permissions. This means some IT administrators have too much access — or even that the right people can’t see the information they need, which is much less of a risk but is still a drain on productivity. There could also be an issue caused by shadow admins, who have unauthorized privileged access acquired without the security team’s knowledge. These accounts can perform admin-level changes that can cause damage across an organization, making them a target for external attackers.
Even inactive user accounts can be a risk. For example, when a company performs a lift and shift, it could bring in many accounts belonging to former employees, including some privileged profiles. Again, these are targets for hackers, who gain increased access in a few moments if they manage to compromise these accounts.
"Migrating data that has been categorized poorly, or simply categorized differently, is also a risk"
Migrating data that has been categorized poorly, or simply categorized differently, is also a risk. M&A activity often results in the transfer and exposure of thousands, if not millions, of documents. Without a way to automatically categorize their contents, it’s impossible to know which documents are sensitive and include proprietary and confidential information. In the worst case, companies could face fines under the GDPR if they expose documents containing sensitive personal identifying information (PII) that is protected under strict compliance regulations.
Finally, there is the risk that a company undergoing data migration has already been compromised, meaning its new owner is essentially inviting hackers into its inner sanctum and asking them to do their worst.
A Safe M&A Playbook
Gartner has described M&As as a “challenging transformation for an organization” — which is putting it mildly.
“The inability to manage the integration of cybersecurity practices poses its own risks,” it recommended. “Security and risk management leaders must ensure appropriate due diligence and consider cybersecurity implications across the process.”
The first stop for a CISO during a merger is establishing an M&A playbook that can be used again and again. This playbook should contain clear instructions on how to proceed with checking and migrating data, therefore reducing the cost and risk of M&A activity.
Ideally, CISOs should get involved at the very early stages of due diligence to assess whether the M&A could lead to a security breach or identify likely problems before they turn into major crises.
There are surface-level checks which can be carried out before migration. For example, does the company work using a zero trust model? Does it apply a policy of least privilege? How much PII is likely to be involved in the data transfer?
Data should be classified, particularly if it is stored in unstructured repositories such as email, cloud storage, and network-attached storage (NAS) devices. The classification process will reveal whether the company adequately manages sensitive information. It will also reveal the risk of a data breach or whether a breach has already taken place.
All accounts — particularly executive, service and privileged accounts — must be identified in order to highlight accounts that a hacker could use to steal data. The folder structure of data repositories should be crawled to examine permissions on each folder before removing excessive permissions and pinpointing over-exposed data. If possible, data should be locked down before the migration begins, using an audit strategy set out in the M&A playbook.
When the migration occurs — and for some time afterward — security teams should continue to monitor the new data and keep a close watch on privileged accounts. The arrival of a vast amount of new data in a company’s systems can dramatically increase the blast radius of a ransomware attack, making the incident more damaging and causing more problems. That’s why addressing the data dangers as soon as possible should be a fundamental part of the M&A process.