Multi-billionaire business magnate Warren Buffet knows a thing or two about the merger-and-acquisition (M&A) process – and his take is usually one of skepticism.
After all, it is Buffet who has famously said: “In the business world, the rear-view mirror is always clearer than the windshield.” Or, perhaps more apropos to M&As: A limping horse could be “peddled as Secretariat,” as he once wrote.
Aside from the obvious slop that has historically muddied the post-acquisition period – unrealistic vision, lack of execution, cultural snafus, unseen costs – a new screwball has emerged over recent years that has introduced the potentially most devastating scenario of all: that the business your company just paid a pretty penny for (and all of the intellectual property and other sensitive data that go along with it) may already have been compromised by digital adversaries.
The sky is the limit in terms of the security risk than a target company can present to its new parent, from questionable processes to unpatched vulnerabilities to active malware. And if an issue is discovered after the fact, you and your team are the ones the C-suite will come looking to for answers.
That said, one of the holdups you may experience as a security professional whose company is contemplating an acquisition is the level of indifference shown toward infosec during the due diligence process. Sometimes, even being aware of potential red flags won’t be enough to slow down impetuous business leaders and investment advisors eager to ink a deal.
But you’ll want to pump the brakes as best you can to ensure that if some security-related problem comes back to haunt your organization in the future – and it has for some 40 percent of acquiring companies – that you covered your bases before any checks were signed.
This is not only important so your business avoids a back-breaking breach and all the financial and reputational repercussions that come along with it, but also for the safety of your job.
So, what can you do to move beyond merely a surface-level vetting and come away with true operational visibility into the IT environment you are about to inherit? Here are three proactive approaches, which you can delegate to outside experts if your internal resource capabilities are lacking, to help assure you are procuring a superstar and not a dud.
1) Risk Assessments
The baseline of the IT security due diligence process involves evaluating the target company’s existing security policies and practices, helping you eye potential deficiencies and gaps.
2) Threat Hunts
Traditional and automated security monitoring tools can only take you so far. Threat hunting brings human-led curiosity, instinct and intelligence to the detection process and can uncover the presence of an attacker inside your environment, in addition to a multitude of other activities you don’t want happening across your databases, networks and applications.
3) Security Testing
Vulnerabilities ranging from poorly coded web applications to exploitable passwords to a user population with a propensity to click on things they shouldn’t can enable sophisticated adversaries to run amok across your organization. Enlisting a combination of automated scanning and deep-dive penetration testing for your infrastructure, which also must include “obscure or unknown assets,” can provide the most complete picture of the business you are planning to welcome into the family.
Once you sign off on the deal from a security perspective, your attentiveness will still be required during the transition and integration phases, where you’ll be called on to introduce a long-term strategy that will align with the security maturity goals of your company. This should include, among other things, continuous monitoring and sound incident readiness and response.
Dan Kaplan is senior manager of online content at Trustwave and a former IT security reporter and editor.