GUEST ESSAY: Addressing data leaks and other privacy, security exposures attendant to M&As
Merger and acquisition (M&A) activity hit record highs in 2021, and isn’t expected to slow down anytime soon.
Related: Stolen data used to target mobile services
Many attribute this steady growth to the increase in work-from-home models and adoption of cloud services since the beginning of the COVID-19 pandemic. Such consolidation across markets is good news for customers and vendors alike in terms of market growth and maximizing security investments.
Underlying all of this optimism, however, is the ever-present threat of cyberattack. The FBI recently issued a warning that ransomware gangs are targeting companies during “time-sensitive financial events”, such as mergers and acquisitions.
With ransomware attacks increasing year-over-year, we will continue to see this as a common attack vector. Going through an M&A is highly risky business due in large part to the potential impact on the market, valuation, shareholders, business partners, etc.
Townsend
And with technology playing a huge part in simplifying and enabling integration activities between two distinct organizations, it is these very systems that attackers are looking to exploit. This includes those vulnerabilities that exist in “systems of record”, like Active Directory (AD) – used by the majority of the Global Fortune 1000 companies.
At the same time, the acquired company needs to open access to critical systems in order to successfully transition all users and data into the acquiring company’s tech stack. Throughout this period, the risk level of the acquirer is much higher than the acquired company, creating a major cybersecurity gap as they merge their tech stack and security tools together.
So what are some of the specific security risks and challenges that organizations face and best practices to help close the cybersecurity gap in each stage? They can be divided into two categories:
Pre-Close Risks. This due diligence process should account for:
•Deal information exposure. Depending on the nature of the deal, a select number of employees will have knowledge about the deal before closing. These internal employees have access to sensitive information and as result, may intentionally or unintentionally leak confidential details which can compromise the deal altogether.
•Lack of documented evidence. A due diligence plan is only as good as the information you receive. With any M&A, there is always the “risk of the unknown”, such as an undisclosed breach or vulnerability, that could affect future viability. Fast-paced deals and lack of support from the acquired organization can also exacerbate these risks.
Zommer
Besides asking for more detailed documentation on past incidents and known system vulnerabilities, you should implement a zero trust security framework with an Identity & Access Management (IAM) solution. With IAM, you can get a clear picture of all login activity and add extra security controls around applications that store M&A data.
For instance, you can scope down access to specific users and roles via role-based access control (RBAC) and then add Multi-Factor Authentication (MFA) to verify each user is who they say they are.
This way, you automatically prevent unauthorized employees from accessing specific resources. By limiting access to M&A data, you prevent a potential leak of information from an unauthorized user in the first place.
Post-Close Risks. The transition process needs to account for:
•Data privacy, ownership, and governance. Lack of clear direction on data privacy and ownership can quickly snowball into a much larger compliance, customer retention, and incident handling issue. An unclear IT governance and accountability model across systems can lead to additional risk, making it much easier for a disgruntled employee to sell and/or share customer data or intellectual property without being detected.
•Hybrid Integration. Risk exposure is high during the transition phase for both organizations involved. Opening up networks to support the integration of new and legacy systems provides attackers with an opportunity to infiltrate systems and move horizontally within your environment to steal more data.
Leveraging IAM as part of a zero trust strategy allows you to control where corporate and customer data is stored and who has access to it at any given time.
And by adding security policies programmatically, you can more easily meet compliance regulations, such as placing MFA in front of applications – whether they are legacy, on-prem, or in the cloud. An advanced IAM platform also provides a rich set of APIs and developer tools that can help securely migrate users and data from one system to another without interruption.
Every stage of an M&A – from due diligence to close to integration – incurs a heightened level of security risk as attackers continue to find additional methods of extorting organizations to pay out a ransom. Your best defense is to build a strong security strategy and invest in tools that will help your IT & Security teams to manage and control the flow of information, ensuring cybersecurity gaps are minimized as much as possible.
About the essayists: Alicia Townsend is the Director of Content and Documentation at OneLogin; Ariel Zommer is a cybersecurity expert with 10-plus years of product marketing experience.
*** This is a Security Bloggers Network syndicated blog from The Last Watchdog authored by bacohido. Read the original post at: https://www.lastwatchdog.com/guest-essay-addressing-data-leaks-and-other-privacy-security-exposures-attendant-to-mas/
