Last year was a record breaking year for M&A activity, with an estimated total M&A volume approaching $5 trillion, and 2019 appears to be on a similar pace. Acquisitions are an exciting time for employees, an exhausting time for planners and diligence teams, and a risky time for information security teams tasked with ensuring the safety of the enterprise through a period of rapid changes.
In recent years, companies have not only acquired the assets they expected in the transaction, but also unexpected and expensive exposure to breaches which were not yet discovered -- and other infosec-related risks.
Furthermore, adversaries have targeted smaller companies that have been acquired to ultimately provide them access to very sensitive data at the acquiring company once the integration of the two companies’ IT infrastructure began. These are some best practices that we have observed as infosec teams work through acquisitions.
Diligence Phase:
Step one for Infosec teams is to ensure they have a seat at the table helping the business to quantify and reduce risk in any potential acquisition. That means involvement in the diligence phase of the acquisition. While the infosec team’s diligence will never provide perfect visibility into every potential threat, it is the best hope of detecting a security program that isn’t reducing risk to a level assumed by the acquirer.
The team can communicate potential costs, such as additional headcount that needs to be added to the team to bring the joint company within acceptable risk levels. It is important for the diligence team to keep an open mind. The infosec team from the company that is being acquired will likely have some ideas and best practices that are better than the parent company, and it is important to consider those with an open mind.
After the Acquisition is Announced:
Employees can expect to receive legitimate emails from new external contacts as the two companies begin to communicate more frequently. This is to be expected...and attackers know it! This can lead to a heightened risk of phishing during acquisitions, as users are less likely to be suspicious of external emails related to the acquisition and business as usual processes are more likely to change.
This is a great time for infosec to remind employees of continuing to exercise good cyber hygiene and skepticism of external emails with user education.
Access Phase:
It is recommended that IT teams have a plan in place to onboard new employees joining as the result of an acquisition. Specifically, it is important to have a plan for providing the appropriate level of access for new employees to corporate apps required for them to be productive.
Some organizations that make frequent acquisitions have a plan that spans the diligence phase all the way to the process of integrating corporate IT assets. There is probably more risk for organizations who engage in less frequent acquisitions, because they are less likely to have a pre-existing plan that has been informed by previous experience.
There is a strong desire to welcome new employees from the acquired company and promptly provide them with access to corporate applications they need to do their job. This pressure can lead to increased risk if the acquired company doesn’t have the same level of security maturity, potentially providing an adversary with an easier path to assets at the parent company.
The integration challenges don’t end there. I’ve spoken with friends who’ve been issued two laptops and three VPN clients from different vendors in the aftermath of a series of acquisitions as IT works to provide access to applications used by the companies coming together in the acquisition. Furthermore, if access to private/trusted networks is extended as part of the architecture, planners must contend with overlapping use of Private (RFC 1918) IP space by the formerly separate companies. Complexity translates into more risk, so the simpler access architectures should reduce overall risk.
New architectures for securing access to corporate applications have made it safer and easier to provide employees with precision access to only the apps they require without extending access to trusted internal network segments. We’ve seen these Zero Trust Access architectures dramatically simplify the IT integration that follows an acquisition.
In these approaches, employees connect to an Identity Aware Proxy, which authenticates them and provides indirect access to a set of corporate applications limited by least-privilege provisioning and a default deny security posture. At no time is the user granted access to a private/trusted network in this architecture, thereby eliminating many of the traditional challenges that IT must overcome during integration.
Lessons Learned Phase:
Like all sizeable projects, it makes sense to reflect at the completion of an acquisition and integration effort. This will give the opportunity to highlight what worked well and areas where the plan can be improved for the next acquisition and integration. Many of your lessons learned, such as the new ways of granting per-application access instead of network access, will come from these exercises.
The trends driving high levels of mergers, acquisitions, divestitures, and other corporate events show no signs of changing any time soon. The risks and infosec-related challenges facing the business as part of these events are becoming more clear with each passing year.
At the same time, infosec teams are taking the opportunity to apply new access models to reduce some of these risks while at the same time reducing the complexity of their architecture.