By Alastair Paterson, CEO and Co-Founder of
Digital Shadows
Mergers and acquisitions (M&A) can
be exciting, offering companies a significant platform for growth. According to
the Deloitte M&A Index 2016, global M&A activity reached
record-breaking deal values in 2015 at over $4 trillion, with the resulting
deals expected to add $1.5 to $1.9 trillion in value to these companies.
But while mergers and acquisitions
propel companies forward, the M&A process also fuels significant
opportunities for cyber criminals. Failure to secure sensitive information
during this time opens the door to threat actors looking to profit by
exploiting financial markets and proprietary intellectual property (IP).
Let’s just take a closer at the Middle East in terms
of its M&A activity. The Middle East M&A activity recorded 75
deals worth US$29.9bn in 2016, jumping 2.3x by value compared to 2015 (71
deals, US$13.1bn). The oil and gas sector, along with the food and beverage,
transportation, technology and utilities and energy sectors had a high share of
cross-border transactions. The acquisitions by companies based
in Saudi Arabia followed by Qatar and UAE accounted for the majority of
overseas acquisitions with technology being the most active sector of
Middle Eastern M&A involvement. As per the prediction of
an ATKearney
report, over the next 12 months, it is expected that MENA and
international M&A markets will continue remain active. Combine that with
the explosion of big data and the prevalence of corporate data security
breaches, the failure to evaluate cybersecurity risks quickly turn a great
opportunity into an unmitigated failure.
Understanding the cyber risks present
along the M&A process is the first step toward mitigating the risk. While
each process will have its own nuances, all tend to follow five general stages.
Along each stage new risks emerge and advanced attackers, well-versed in
corporate espionage techniques, stand to profit. Here’s a brief look at each of
the stages and the types of risks and possible degradations in security posture
that may occur.
1.
Preparation for acquisition and/or
valuation. Organizations are vulnerable to threats right from the start. Job
listings for positions that require corporate development or other
M&A-related experience, or activities like another round of funding or
other initiatives to boost the company in the eyes of deal makers, can be clues
that M&A activity is in the offing. Astute financial analysts may draw
their own conclusions based on activity and start to comment. Meanwhile,
sophisticated threat actors who have picked up the scent may target executives
typically involved with such activity with spear-phishing campaigns,
man-in-the-middle malware attacks, or simply through unsecured wireless
Internet connections. Not only is the deal exposed earlier than intended, possibly
leading to a host of complications, but information gained can be highly
valuable to those with nefarious motivations.
2.
Marketing. As companies move through the process
they may alter their marketing behaviors. To the public these marketing activities
may appear innocuous. But to a trained eye an identifiable pattern and
opportunity can emerge. A company slowing down its cycle of product
announcements or showing strength in profitability while quietly reducing staff
can raise suspicion. Employees who have lost their jobs may start to leak
information and further tip off cybercriminals who may launch spear-phishing
campaigns to confirm their suspicions and acquire valuable data.
3.
Due diligence. This stage of the process can provide
executives with opportunities to gain significant insights to help reduce risk,
but it can also provide cybercriminals with significant opportunities to steal
data. The acquiring company has the chance to review the security and integrity
of the systems of the company they are merging with and understand how to
mitigate risk before finalizing the deal. At the same time, both companies may
experience an increase in spear-phishing attempts as attackers strive to take
advantage of a surge in data that exchanges hands during due diligence.
4.
Negotiations, signing and
announcements. Organizations that lack social media policies, mobile device
management and endpoint protection may find data leaked inadvertently as the
end of the M&A process approaches. While all employees should be vigilant
at this stage, executives are particularly susceptible to leaking data. Poorly
secured personal devices and the use of public wifi to review documents while
on the road or in meetings provide bad actors with ample opportunity to steal
high-value data. Once the announcement is made, the doors will open even wider
and less sophisticated attackers will also try to profit or cause disruptions.
5.
Waiting period and final merge. The main risk at this stage is from
employees who fear a job loss or change and may leak IP or other data. If an
attacker has established a foothold in a merging network, this is also an
optimal time to monitor communications and patiently wait for deeper access or
utilize that information for social engineering.
Clearly, vigilance is required at all
stages of the M&A process, as a failure to secure sensitive information
constitutes both a threat to the organization and an opportunity for bad
actors. Individuals’ behaviors, unintentional clues and vulnerabilities in
inherited network infrastructure and software can all open the door to cyber
risk. However, organizations armed with these insights can better understand
the threats they face and mitigate accordingly.
Given the value to be gained once the
companies are combined, it’s safe to say that ensuring successful integrations
will be a priority on boardroom agendas. Security, both during the M&A
process and after the deal is closed, will play a central role in positive
outcomes.