The M&A Blind Spot
By early December last year, global mergers and acquisitions (M&A) had reached an all-time peak of $4.304 trillion in 2015, surpassing a previous high of $4.296 that was set in 2007, according to the Wall Street Journal. Pfizer’s $160 billion merger with Allergan set the year’s record, followed by Anheuser-Busch InBev’s $110 billion takeover of SABMiller. Both of these made the $67 billion Dell deal to acquire EMC seem a bit paltry.
With heady outlays such as these, the stakes are enormously high. While perhaps not “make or break” moves for these companies, they are all strategic and highly important. Once such massive transactions are approved, a metaphoric clock begins to count down, spreading out a myriad of things that could go wrong. To some degree, nature seems to abhor M&A, and the chances for intended success might be quite small. Systems, data and other IT issues are important factors in the success or failure of a big M&A deal. According to a brief from McKinsey & Company, “Many mergers don’t live up to expectations, because they stumble upon the integration of technology and operations. But a well-planned strategy for IT integration can help mergers succeed.”
One overlooked area for the IT integration of merged or acquired companies is the blind spot that exists in not knowing whether one firm may be connecting to another where a network intruder may have been long hidden, giving an attacker easy access.
The industry “standard” for dwell time is still around five months, and even then 82% of network attacks are discovered by a third party, such as law enforcement or a financial organization, rather than the victimized organization. Less than 1% of enterprises today have the capability of finding an active attacker that is at work exploring their network and expanding their sphere of control in order to get to valuable assets. This means that the acquirer may be just as in the dark as the acquiree about whether or not intruders are currently in their networks. Some larger enterprises with big security operations teams may have the needed visibility to reasonably know if there is an active attacker on their network, but it is unlikely that the acquiree will have that same vantage.
The path may not be at all clear cut. It is possible the the acquiree is free from the work of active attackers at the moment, but one of its partners or contractors that has access to their network might already be compromised, perhaps through the theft of valid credentials. Many large-scale data breaches in 2015, such as the one at the Office of Personnel Management (OPM), were the result of a third party being compromised.
“You don’t know what you don’t know,” explains a senior security executive from a health care company that has been an active acquirer. “The thing that keeps security people up at night is what they don’t know. When you go into a new environment and are about to bring that company on to your network, there’s another thing that you don’t know.”
All of the stress and work overload that comes with the M&A process for IT may present cybercriminals the opportunity to have greater success thanks to an overworked security team with a correspondingly lesser ability for attentiveness. It also may provide more opportunities to hide. In addition, the state of pulling systems and networks together presents new opportunities for cybercriminals due to the magnitude of change.
Besides greater ease and opportunities, the M&A process itself may offer more attractive targets to cybercriminals. New reports and data sets that are readily available for the transition, including financial details, intellectual property, future plans, customer data and more, might offer irresistible targets for focused cybercriminals.
So what due diligence should now be a part of the M&A process for IT?
- First, it’s important to have a high level of certainty about your own network. Intrusion happens, so you need to know if a network attacker has circumvented preventative security and is at work on your network. The best way to have clear, line-of-sight visibility and a high level of assurance about intruders is through behavioral attack detection. Establish ongoing profiles for all users and devices on the network by ingesting full network data that is augmented by endpoint knowledge. From these, it’s possible to use machine learning to find multiple malicious anomalies that are likely connected and part of an active attack. To your own self be true. Know about intruders early, so that they can be eliminated.
- Insist on conducting the same behavior attack detection in the acquiree’s network. If none is currently in place—which is the likely case since behavior attack detection is still new and not extensively known—make sure it gets implemented. Pen and or vulnerability testing is valuable to identify gaps in preventative security, but neither is a substitute for truly knowing if an attacker is lurking. Plan on a month’s time to run the profiling and determine any malicious anomalies. The same process should uncover any internal threats or even risky or unauthorized behavior.
- Force password resets across all clients, servers and accounts, including those that are cloud-based.
- Deny network access to third parties until they too can be cleared for any active network attackers.
With so much at stake and the odds against success, it is essential that detecting and stopping existing attackers be an integral part of IT due diligence for M&A.
Listen to the experience of a health care company in this short video interview.