Cybersecurity is always low on upper management's priorities during a merger or acquisition, but it shouldn’t be. "Companies that are being bought and sold are often prime targets for cyberattacks," explained the CEO of cybersecurity solutions provider Industrial Defender, during a recent interview. "By enacting Operational Technology (and proactive cyber intelligence) security measures, organizations can avoid an exciting company milestone from becoming an infrastructure and security nightmare."
Red Sky Alliance has long collected malicious indicators to help corporations, not only in everyday business or during high emotion and often chaotic mergers and acquisitions (M&A). Below is a short list of questions a business needs to ask and answer before jumping into joining with another company.
- Why are cybercriminals targeting companies undergoing a merger or acquisition (M&A)?
Both state level and criminal hackers are attacking these vulnerable companies for the same reason people used to rob banks: it's where the money is. Industrial Defender cautions that if you sold a business to a large company or a private equity firm, they would have a lot more resources to pay up than if you were a smaller stand-alone organization without a strong balance sheet.
Something else to consider is the nature of M&A. New ownership and management teams transitioning in or out of their roles, present opportunities for cybercriminals to attack while businesses are in this transitional phase.
- Can you provide a detailed scenario of what this type of cyberattack would look like?
Criminal cyber-attackers are smart and actively track ongoing M&A activity through publicly available information and then researching what level of defense the target has in place. It is pretty simple via standard social-media tools to profile how many information-security people are on staff or what tools they may have in place. If it appears there is no infosec function, the company may be that soft target cybercriminals are seeking.
Cybercriminal often use numerous methods to get into the network. A phishing attack via email is a common and effective approach. Why? Because it works. Once they have found credentials to access systems, they can move around the networks and applications to determine where the most sensitive data is. Or they can lay wait and attacks at an opportune time, like when pen comes down to paper.
If it is an intellectual property attack, bad actors may steal product designs, pricing information or other sensitive business information and leave without anyone knowing there was a breach. In the case of ransomware, they will obtain access to sensitive files, encrypt them—so applications and business processes stop working—and demand a ransom payment from the company to regain access to the files. This will cause the M&A to come to a screeching halt.
- Why are not more companies aware of the increased likelihood of a cyberattack during an M&A?
It is embarrassing to report this type of cybercrime and could decrease the company’s value. It could damage the company brand, customer relationships and put the business in a poor competitive situation when trying to merge a business or execute on a new ownership arrangement, so there is a reluctance to share the company's "dirty laundry."
- What steps can businesses being acquired take to mitigate cyber threats?
The first step, if it is not already in place, is to have preventative network posture, along with a proactive cyber intelligence program. Then they need to have a solid continuity of operations plan (COOP) which includes an incident response plan. Having a checklist of who to call and what resources those responsible for cybersecurity will need to clean up the mess will help them get through the process faster and with less impact than if they need to spend the first 24-72 hours figuring out what needs to be done. The best solution is to avoid an attack in the first place utilizing the following basic prevention steps:
- Are appropriate security controls in place, including an proactive cyber intelligence operation?
- Are those responsible well versed in cyberattack detection and remediation?
- Are processes in place to notify all employees that cybercriminals may be targeting the company's digital assets?
The reasoning behind these basic steps is to determine if any significant gaps need to be remediated ‘before’ proceeding into an M&A.
Never present your company as a soft target. Be aware that the company may be on a criminal's radar screen and must assume it is in their sights. If possible, have all cyber defenses and plans in place ‘before’ going public with the merger. The merger press release may feel good, but if cybersecurity is substandard, it might be best to hold off until the companies are in a better cybersecurity position and have beefed up cyber defenses.
- What steps can companies acquiring a new organization take to mitigate cyber threats?
All members of a company C-Suite must ask if there is a cybersecurity program in place and how the program measures up with an appropriate standard. Many companies have adopted the NIST Cybersecurity Framework or the CIS Controls standard. Do they have a CISO in place or an equivalent CISO-as-a-service? If it appears that there has been limited investment in cybersecurity, they may want to have an assessment conducted ‘before’ deal closure to determine what investments are required to mitigate cyber risk to the acquiring company.
- What are the potential impacts of a cyberattack during an M&A?
Impacts of a cyber-attack could be loss of intellectual property (IP) that sets up a competitor, or a nasty surprise after the deal is complete that includes paying out a substantial ransom, plus the associated costs of remediation, legal, staff time, and revenue loss, while trying to transition the company to new ownership.
There are many things to consider during M&A’s and working through a cyberattack should not be one of them. Be prepared. The key word with M&A’s is BEFORE. Have a solid cyber security program, which includes proactive measures. Having all business divisions prepared with regards to cybersecurity —BEFORE publicly announcing the merger or acquisition— will force cybercriminals to look elsewhere.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization and can offer tools and support for a proactive cyber intelligence program. This will provide your CISO or virtual CISO to block (black list) attacks using the malicious indicators collected by our analysts . For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or firstname.lastname@example.org
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.wapacklabs.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings