Cybersecurity is woven into the fabric of our daily lives at this point. It is thoroughly inescapable. We deal with it when we log in to our Internet banking, when we check our email and when we use our computers for work. However, cybersecurity is not something that is necessarily intuitive for the vast majority of people. That’s where the problems creep into scope. Much like walking in the dark towards the kitchen, there is the ever-present danger of a piece of Lego lurking in the carpet.
If we take the example of mergers and acquisitions (M&A), we can see where the proverbial gotchas can arise. No one wants to feel the searing pain shooting through their extremities when their footfall finds its target waiting there in the shag.
Those issues can really have a material impact on the financials of a potential M&A activity. This type of result was evident in the heavily documented Yahoo acquisition by Verizon in 2013. In that case, Yahoo was involved in significant data breaches leading up to its merger with Verizon, with the 2013 hack in particular affecting all three billion user accounts. The result was a haircut of roughly $320 million. Not the kind of news that anyone would want to hear.
While this is more of an outlier based on my conversations with several M&A specialists, it does still happen. The need here is layered. Overpayment risk due to potential undisclosed incidents, technological security debt, and inflated security debt can lead to a drain of CAPEX/OPEX to remedy the situation. As a cybersecurity professional dealing with M&A you need to be able, where possible, to proactively identify the risks in advance of any deal as a part of the due diligence process. Deal friction can also materialize in the realm of regulatory flags that could impede the progress of gaining approvals.
Then there is the matter of trust. This ranges from market trust, if one or both entities are publicly traded companies, to that of the individual customer trust, where people may “vote with their wallet” in the event they lose confidence in the company.
How do you work to avoid the sweet kiss of plastic building blocks? Well, there are steps that you can take that will go a long way to reducing the exposure risk. Let’s start off with the largest blast radius, which is identity and access management. SSO, as an example, is seldom ever wall-to-wall in its implementation. There needs to be security controls in place that can help catch the outliers and credentials for systems that are not able to be added to SSO due to cost or technological limitations.
The second element is data protection and privacy. It’s important to create a data map that covers where PII/PCI/code et cetera may reside. It’s also important to highlight cross-border flows and data residency. This is especially important in light of the rise in global discussion and legislation tackling data sovereignty. From a privacy perspective, one would have to account for lawful bias, deletion and retention of data.
The third aspect to focus on is SecOps and resilience. Do you have a 24-36 month incident history that is available to review? Building on this, it is important to have SIEM logging completeness and mean time to repair (MTTR), which refers to the average time it takes to repair a system. Patch and vulnerability metrics should also be monitored, such as the critical backlog and an inventory of unsupported systems.
These items will help as inputs to a playbook for integration, assuming the deal then advances to that stage. An ounce of prevention and all that. With any M&A deal, time is of the essence. It is important to build an M&A “Day-1 pack” which covers IdP policies, MFA plan, password management, secret rotation runbook, device compliance baseline, and an exceptions process. We could dive deeper into the subject, but I will save that for another article.
I’ve always been of the opinion that you can pay $1 up front or $10,000 on the backend. Be sure to do the hard work early and be prepared in the event an M&A activity comes to pass, so that you’re not left metaphorically rolling around on the floor at 5 am thanks to the bite of a 2x2 Lego brick.
Dave Lewis is Head of the Special Operations & Engagements (SOE) team at 1Password, responsible for managing a team of high performers who conduct security research, develop content, Security for AI special projects, and engage with the global CISO audience.
