Whether you like it or not, COVID-19 has had an economic downturn leaving many mergers and acquisitions (M&A) in a state of uncertainty. In fact, according to Accenture, deal volume in the first half of 2020 dropped 49%, with deal value down 22% from the year before. This comes as no surprise as companies are choosing to be more conservative and mindful of where each dollar goes. But when business must be done, is there a right or wrong way to conduct M&A business during a global pandemic?
Companies have taken both sides of the spectrum, whether that be to halt M&As altogether or to move forward with more flexible deal structures. Boeing, for example, walked away from its $4B deal to acquire Embraer in April 2020, while companies like Google have openly expressed their interests in pursuing acquisitions.
However, before jumping into any deal — pandemic or not – organizations of all sizes need to consider full cybersecurity assessments before unwittingly inheriting a company’s cyber liability.
The cyber risk landscape has changed in recent months and cybersecurity should be a top concern among organizations and given the same priority level as any financial or legal considerations while contemplating moving forward with a merger or acquisition.
Let's take a look at a few strategies for evaluating target investments while taking into account cyber risk factors caused by COVID-19 resulting in today’s new remote workforce:
Attack Surface Assessment
We need to first understand all of a company's assets and the risks that are being presented by those assets. Let’s start with staff and the processes implemented in order to keep data protected. People are the most critical asset of a company, but whether intentional or not, they are also a company’s greatest risk, acting as a network entry point themselves. Organizations need to ensure that their employees are handling company data with full consideration for the security of that data, whether that be strict company procedures or effective security training across the board.
Furthermore, architectures are shifting so dynamically in today’s world that the only way to fully assess a company’s assets is through automation. Humans alone cannot accurately audit all the assets within a company so we need automated tools to help us find them and where they all reside — whether that be in the cloud, traditional infrastructure, or remote laptops. Only then will organizations be able to find and account for any blind spots within attack surfaces.
From this assessment we should then be able to explore the depth of the controls that have been put in place. Key signs to look for are whether a company has been the victim of a breach in the past and how frequently they are allowing their networks to be exposed to bad actors. It’s also very important to know what kind of breach you’re dealing with. Stolen credentials are not as big of a deal as, say, a two-time victim of ransomware. If the latter, this represents a huge red flag knowing the company could be targeted again in the future.
Threat Intelligence Reporting
Keeping tabs on the latest industry threats is a great way for organizations to find hidden risks within their networks. By looking through the lens of the attacker, organizations are enabled to discover, investigate, prioritize and act on the greatest liabilities to their organizations as a whole. Performing a full assessment of an organization using all available intelligence types is crucial. This includes closed source and open source intelligence. This data can be used to understand how this organization, or organizations like it, have been targeted in the past. It can also provide insight into the tools and techniques being developed by attackers that have targeted that segment previously. Understanding these elements can help support whether the controls in place today will be effective for tomorrow. These key insights can help an analyst determine the true nature of the risk presented by the business being considered in the transaction.
Avoid Inheriting Cyber Liability with Insurance
The top three obstacles to cyber insurance adoption include ‘Not understanding exposures’, ‘Not understanding coverage’ and ‘Cost’. So when cyber insurance is apparent, that should be seen as a form of due diligence. Cyber insurance due diligence is quickly becoming the “new normal” for buyers in M&A transactions as they seek to protect themselves against cyber risks.
Generally speaking, like anything we insure, those who invest in their cyber resilience — such as with cyber insurance -- can more often than not prove they are better off on the cybersecurity spectrum.
Having a standalone cyber insurance policy provides buyers with additional protection against unknown cyber risks. That being said, the acquiring company should understand the policies that have been put in place first, to best understand coverages.
Review of Remote Architecture
When COVID-19 pushed many businesses to a remote nature, many IT teams implemented remote technology at record speed to stay operational. But did they have cybersecurity in mind? With new terms like "Zoom Bombing” (though now addressed) making the rounds in the first few months of COVID, it’s important to look at how a company’s remote architecture has been set up.
With a potential second wave of remote work upon us, one that may look a bit more permanent, an assessment needs to be done on what IT leadership teams are doing to implement this remote environment. Is it a completely modern architecture, or did they put a bandage on a legacy architecture, just to keep business going as the shift happened? Depending on the approach taken, a baseline risk based assessment needs to be done. Normally this risk assessment would not be done in such an ad hoc mode. In the current climate, IT is under pressure to roll out new services to support the shift in business required to keep things operating smoothly. On one hand, if you are moving to a wholly new architecture as a more permanent move, then a risk assessment would make sense against the new architecture. This process is well defined and new controls would be designed. In the case where temporary adjustments are made, this represents the biggest risk. Technologies implemented at speed to support temporary changes in services or architecture are generally not deployed with security in mind. These services have also not undergone a risk assessment and there is a good chance the organization has not implemented controls to help mitigate any risk associated with the new technology or service.
The diaspora of remote workers is changing the architecture of IT as we know it, and as companies adopt cloud technologies to boost remote work, the manner in which it is implemented needs to be a key focus. If there are signs the remote architecture is lagging in cybersecurity, I’d be 100% wary of connecting the networks between companies.
By Brandon Hoffman, CISO, Netenrich