During the mergers and acquisitions process, thorough cybersecurity due diligence is vital. Ideally, the structure and governance of both companies should be as similar as possible to allow a more seamless integration of the security program of one company into another. This will also help to avoid a potential disaster – such as a breach or unknown data protection weakness – down the road that may destroy the financial security and reputational image of the company. Finding such structural and governance alignment upfront is alarmingly rare.
Consider the following fictitious example of an acquisition gone wrong:
Ajax Software was a start-up rising star in the e-commerce world. They created a solution that took the internet payments world by storm. Recognizing their growth and the need to expand operations, the owners sought a strategic partner to help grow their business. Attracted by Ajax’s existing market share and recognizing the synergy with their current web-based business, MegaWeb Corporation presented Ajax an acquisition offer. Owners of both companies agreed on the terms.
Prior to the acquisition, the secret to Ajax Software’s success was their proprietary, home-grown software platform and its simple integration with customer websites. With the acquisition complete, MegaWeb Corporation realized integrating Ajax’s systems into theirs would be the most effective way to help both companies scale and beat competitors.
Due to management, investor, and market pressures, MegaWeb Corporation conducted a shortened due diligence process to speed the acquisition. The next release of Ajax’s platform would bring much-requested features and address a market on which they wanted to rapidly capitalize. The acquisition process was completed, and the “Mega-Ajax” platform was released to great fanfare and success.
A year after the acquisition, a national news site published a story with headlines identifying Mega-Ajax as a victim of EvilX, an international crime syndicate that compromised Mega-Ajax’s customer account database and corporate systems. In the days and weeks following the article, customers reported their identities and credit card information had been stolen. Worse still, as Mega-Ajax began to respond to these claims, their corporate systems were shut down by a devastating ransomware attack.
The first key areas that our fictional company MegaWeb Corporation should have evaluated before finalizing the acquisition of Ajax Software are their cybersecurity structure and policies. Mature and effective security programs are governed by strong, well-informed leadership and concise, well-understood policies. These types of programs are enabled by full-time security professionals focused solely on the security of customer data and company systems vital for conducting business.
How did the Ajax Software leadership view cybersecurity?
Before any merger or acquisition, it is important to ensure that the cybersecurity functions of both organizations are given appropriate levels of attention and funding. This begins with leadership. Companies that support security objectives from the board and C-suite create a better security culture than those whose leadership view security as simply a check box and expense.
Had MegaWeb validated the level of attention and funding that the cybersecurity function at Ajax received from leadership, they would have seen that security was considered irrelevant and red flags would have gone up.
Did Ajax have a Chief Information Security Officer (CISO) or designated security authority?
Most companies in today’s world have some form of a cybersecurity program. But who prioritizes needs, decides to whom to delegate tasks, sets future goals, or champions security culture? In well-established cybersecurity programs, this person is the CISO or an equivalent role, while smaller firms may utilize a versatile, multi-hat individual such as a senior IT/ security leader. During the merger and acquisition process, MegaWeb Corporation should have verified that Ajax had appropriate security leadership, or at least a designated and sufficiently trained cybersecurity authority.
Companies that do not have a security leader who is tasked with prioritizing cybersecurity generally do not have well-defined security goals and standards. This can lead to unseen and unanticipated security gaps.
Did Ajax have proper cybersecurity staffing for the size of the company?
All departments within an organization compete for budget and resources; it is the nature of the corporate world. However, does a firm want to gamble with such a risk, knowing the potential consequences associated with a breach?
With Ajax, they risked losing customer payment data in this event. Therefore, it should have been essential for MegaWeb Corporation to examine the number of cybersecurity staff that Ajax employed.
Mature, well-functioning cybersecurity programs have a healthy number of staff, solely dedicated to the mission of protecting customer and employee data and company IT infrastructure. Requiring them to split time between security and other tasks (such as development) is common within start-up culture. This practice becomes riskier as a company matures and sales and market presence increase.
What exactly is considered a healthy number? Security teams should be staffed to ensure that organization objectives can be met without a large amount of backlog, and emergency and high-priority turnaround items are quickly addressed. Organizations unable to find the appropriate talent or expertise may consider the option of hiring contractors or a managed service provider to assist.
What cybersecurity policies were in place?
Policies are a vital part of a cybersecurity program and should set security criteria that is well-communicated and enforceable. These policies can stem from a broad, company-wide acceptable use policy for company workstations and devices, to a more granular exposure management policy for server administrators to ensure identified vulnerabilities are remediated in a timely fashion. Depending on the industry and the organization’s requirements, industry-leading standards and frameworks – such as NIST Cybersecurity Framework, CIS Top 20 Security Controls, ISO 27001 and 27002, or COBIT – should be applied.
MegaWeb Corporation should have examined Ajax’s current cybersecurity policies and conducted an audit or risk assessment to ensure that they matched operations in practice. Had MegaWeb Corporation not been satisfied, they could have ensured that Ajax addressed gaps or shortcomings before the acquisition or addressed their concerns as part of the integration plan. Ajax staff smoothly transitioning into what was expected as part of a mature security program would have brought peace of mind to MegaWeb.
What are the company’s critical assets?
Does the company and the cybersecurity function clearly understand the organization’s critical assets and data systems? How is this understanding incorporated into risk management decisions?
Depending on maturity level, most organizations should have conducted a risk or “crown jewel” assessment to identify their critical assets, data, and systems. Understanding these assets allows cybersecurity leaders to focus resources and priorities on the defense of what matters most, and building a cybersecurity program focused on strategies with the biggest impact and return on investment for organizational security. A clear understanding helps ensure business continuity and cyber risk management decisions are made with threat-informed intelligence and risk prioritization in mind. Companies that have not identified critical assets and systems are likely to be making poor risk-informed decisions; their defense strategy, tool sets, and resource prioritization are unfocused and have less impact on overall organizational security.
MegaWeb Corporation should have required Ajax to conduct a crown jewels assessment, list their critical assets, and outlined how their security programs were structured to protect them. If Ajax could not identify these assets, it would have indicated to MegaWeb that a deeper evaluation of security policies and procedures was needed prior to the companies’ systems integration. The vulnerabilities that later led to the breach would have been identified and patched before damage was done.
How was leadership kept “in the loop?”
It is important for leadership to drive cybersecurity within their organization. This begs the question: How do they evaluate the effectiveness of their efforts? What should MegaWeb Corporation have done within the cybersecurity program at Ajax before acquiring the company?
Within any mature cybersecurity program, leadership should require the CISO or equivalent role and the leaders within their organization to develop Key Performance Indicators (KPIs) that provide a holistic picture of the state of the program, as well as progress against future short- and long-term goals.
If Ajax had developed a security program, perhaps MegaWeb would have seen that Ajax was not remediating vulnerabilities in a timely fashion, or that their staff was susceptible to phishing. Perhaps Ajax was missing deadlines on implementing their new Security Event and Information Management (SEIM) tool to monitor their infrastructure? Objectives and timelines help leadership drive accountability and set goals, a requirement in the M&A process.
Much can be determined about an organization’s security posture and maturity by viewing their policies and structure. Had MegaWeb Corporation included cybersecurity in the due diligence process, they may have discovered that it was not an Ajax leadership priority and would have found that Ajax did not have a CISO or equivalent role driving security efforts forward. MegaWeb would have seen the poor security program that Ajax reported on vulnerability management and phishing susceptibility, and that developers were multi-tasking security efforts. While there is never a 100 percent guarantee within the cybersecurity world, MegaWeb would have been better off ensuring that Ajax had a strong cybersecurity structure, effective policies, and dedicated management.
To learn more, click the image below to view our guidebook “Avoiding Cybersecurity Risk Through Enhanced Due Diligence”