Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Trustwave SpiderLabs Exposes Unique Cybersecurity Threats in the Public Sector. Learn More

Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

Database Security

Prevent unauthorized access and exceed compliance requirements.

Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats

How to Ensure Cybersecurity Problems Don’t Lead to an M&A Flop

Multi-billionaire business magnate Warren Buffet knows a thing or two about the merger-and-acquisition (M&A) process – and his take is usually one of skepticism.

After all, it is Buffet who has famously said: “In the business world, the rear-view mirror is always clearer than the windshield.” Or, perhaps more apropos to M&As: A limping horse could be “peddled as Secretariat,” as he once wrote.

Aside from the obvious slop that has historically muddied the post-acquisition period – unrealistic vision, lack of execution, cultural snafus, unseen costs – a new screwball has emerged over recent years that has introduced the potentially most devastating scenario of all: that the business your company just paid a pretty penny for (and all of the intellectual property and other sensitive data that go along with it) may already have been compromised by digital adversaries.

The sky is the limit in terms of the security risk than a target company can present to its new parent, from questionable processes to unpatched vulnerabilities to active malware. And if an issue is discovered after the fact, you and your team are the ones the C-suite will come looking to for answers.

That said, one of the holdups you may experience as a security professional whose company is contemplating an acquisition is the level of indifference shown toward infosec during the due diligence process. Sometimes, even being aware of potential red flags won’t be enough to slow down impetuous business leaders and investment advisors eager to ink a deal.

But you’ll want to pump the brakes as best you can to ensure that if some security-related problem comes back to haunt your organization in the future – and it has for some 40 percent of acquiring companies – that you covered your bases before any checks were signed.

This is not only important so your business avoids a back-breaking breach and all the financial and reputational repercussions that come along with it, but also for the safety of your job.

So, what can you do to move beyond merely a surface-level vetting and come away with true operational visibility into the IT environment you are about to inherit? Here are three proactive approaches, which you can delegate to outside experts if your internal resource capabilities are lacking, to help assure you are procuring a superstar and not a dud.

1) Risk Assessments

The baseline of the IT security due diligence process involves evaluating the target company’s existing security policies and practices, helping you eye potential deficiencies and gaps.

2) Threat Hunts

Traditional and automated security monitoring tools can only take you so far. Threat hunting brings human-led curiosity, instinct and intelligence to the detection process and can uncover the presence of an attacker inside your environment, in addition to a multitude of other activities you don’t want happening across your databases, networks and applications.

3) Security Testing

Vulnerabilities ranging from poorly coded web applications to exploitable passwords to a user population with a propensity to click on things they shouldn’t can enable sophisticated adversaries to run amok across your organization. Enlisting a combination of automated scanning and deep-dive penetration testing for your infrastructure, which also must include “obscure or unknown assets,” can provide the most complete picture of the business you are planning to welcome into the family.


Once you sign off on the deal from a security perspective, your attentiveness will still be required during the transition and integration phases, where you’ll be called on to introduce a long-term strategy that will align with the security maturity goals of your company. This should include, among other things, continuous monitoring and sound incident readiness and response.

Latest Trustwave Blogs

Understanding Your Network's Security Posture: Vulnerability Scans, Penetration Tests, and Beyond

Organizations of all sizes need to be proactive in identifying and mitigating vulnerabilities in their networks. To help organizations better understand the value and process of a vulnerability scan,...

Read More

Email Security Must Remain a Priority in the Wake of the LabHost Takedown and BEC Operator’s Conviction

Two positive steps were taken last month to limit the damage caused by phishing and Business Email Compromise (BEC) attacks when a joint action by UK and EU law enforcement agencies compromised the...

Read More

Defining the Threat Created by the Convergence of IT and OT in Critical Infrastructure

Critical infrastructure facilities operated by the private and public sectors face a complex and continuously growing web of security threats that are compounded by the increasing convergence of...

Read More