5 cybersecurity due diligence best practices
- Buyers conducting due diligence before an acquisition risk financial losses if they fail to evaluate cybersecurity as part of the deal.
- Essential steps include assessing cybersecurity risk, dark web data leaks, infrastructure vulnerability and any systems access by unauthorized users.
- Buyers should also limit the sharing of sensitive information during the transaction, including to parties involved in the deal who don’t need to know.
Due diligence is a routine part of any acquisition. Buyers look at quality of earnings, intellectual property protections, pending litigation and other factors to verify if the company they’re acquiring is stable as well as able to hit financial projections that support the economics of the deal.
Cybersecurity can often be overlooked in due diligence, but it’s a business risk and readily impacts the financial performance of a deal. Think back to when Verizon saved $350 million in its purchase of Yahoo because of Yahoo’s two data breaches that affected over 1 billion accounts.
And remember when Marriott acquired Starwood and only afterward discovered the Starwood reservation database had been breached? So far, the breach has cost Marriott $28 million. And now the company is looking at a $123 million fine from the U.K.'s Information Commissioner’s Office (ICO), resulting from the EU’s General Data Protection Regulation (GDPR).
Both of these examples form a clear argument in favor of performing cybersecurity due diligence before closing on a deal. Below are five due diligence cybersecurity best practices to guide you in your acquisition process, incorporating modern threat intelligence and security vulnerability assessment techniques.
1. Cybersecurity risk management assessment
One of the key parts of cybersecurity due diligence is to find out if your target organization has the basic blocking and tackling in place to prevent, detect and respond to cybersecurity incidents. This involves assessing their ability to identify and mitigate potential threats from malicious actors and threat campaigns.
For example, Wipfli takes a look at 20 top areas of cybersecurity risk management to identify information assets and risks, like whether the organization has protective controls in place to restrict unauthorized access, or a process in place to identify suspicious events and evaluate them to see if they post a real threat.
If the organization experiences an incident, do they have what they need in place to respond quickly and recover? Their response should limit exposure, involve the right authorities, take PR needs into account, be appropriate to regulations, and evaluate any potential legal course of action. Plus, they should have secure backups in place to recover from incidents like ransomware, which hold your data hostage.
2. Dark web scan
Sometimes organizations don’t know that they’ve been compromised. A dark web reconnaissance check finds out if things like proprietary information, customer data sets and credit card info, or employee password lists have already been compromised and are available on the dark web.
For example, after a government technology contractor that works with over 20 U.S. federal agencies experienced a data breach, the hacker put email correspondence and credentials for these government agencies up for a sale on the dark web, opening the auction at six bitcoins ($60,000 USD at the time).
Going to the dark web can be dangerous, as it could open you up to attack, so it’s important to rely on an experienced third-party resource to perform this check safely and in a controlled way. Dark web monitoring software and services like Ahmia, which is a search engine for the Tor network, can be used to scan for exposed leaks and sensitive information without directly accessing potentially harmful content. Free dark web monitoring tools and best dark web monitoring services can also be employed to enhance the reconnaissance process.
3. Open source intelligence gathering
It’s not just having experienced a cyberattack that make an organization a risky acquisition. Certain practices can inadvertently disclose information that an attacker could use to plot an attack, therefore increasing the chances of experiencing a data breach — and open source intelligence gathering can find this risk publicly available information.
Perhaps surprisingly, LinkedIn can be a big danger. Companies that post their technical architecture in IT job descriptions can inadvertently inform cybercriminals of things like what server operating systems or firewalls the organization uses. Organizations that post office documents to social media can also expose username formats within the metadata of the documents or expose other information useful in planning an attack. In many cases, an entire org chart can be constructed based on LinkedIn accounts, and a clever attacker can marry this up with employee interests and activities from Facebook to craft a spear-phishing campaign. It’s important to perform open source intelligence gathering during the due diligence stage to further discover where an organization is vulnerable. OSINT techniques and osint online platforms can be invaluable in this process, allowing for the collection and analysis of publicly available information to assess potential security risks. Tools like Maltego, an osint platform, can be used to visualize and analyze the gathered intelligence.
4. Vulnerability assessment
Speaking of vulnerabilities, a vulnerability assessment evaluates an organization’s computer infrastructure and identifies whether systems are patched and current or whether they will require large investments of time and money to bring up to date. This process often involves the use of vulnerability scanners and network security scanners to identify potential weaknesses in the system.
Computer systems involve many layers of hardware and software, from the operating system to application software. All of these have vulnerabilities inadvertently built into them that are only discovered after the product is released, which is why developers frequently release patches and new versions of the software. Whenever a vulnerability is discovered, it results in a patch.
Yet organizations struggle to keep their software patched. And some willingly choose not to apply patches out of fear that a patch could break something else in an integrated system they have set up so all their computers and applications can talk to each other.
But all this takes money to fix, and if you’re acquiring an organization, you may not want to acquire one that’s going to require millions to fix antiquated and unsecure infrastructure. Outdated computer systems definitely affect the multiplier. Tools like ZAP (Zed Attack Proxy) and Nmap can be used to perform comprehensive vulnerability scans and identify potential security vulnerabilities in the target organization’s network infrastructure. Open source vulnerability scanners like OSV-Scanner can also be employed for thorough vulnerability management, especially in cloud infrastructure and container deployments.
5. Indicators of compromise assessment
An indicator of compromise is anything that suggests there are unauthorized users or activity within an organization’s network. Common indicators of compromise include traffic to known command and control servers or signatures of known malware variants. You can perform a compromise assessment to identify these indicators in the target organization’s network. If identified, it’s a strong indicator of an active attack that warrants further investigation. If there’s an active compromise in place, remediation, recovery and breach notification costs all need to be factored into the deal. This assessment is crucial in detecting ongoing malicious activities and potential threat campaigns targeting the organization. It's essential to be aware of the latest tactics used by threat actors to effectively identify and mitigate potential risks.
How are you managing your data room?
When talking about acquisitions, I’d be remiss if I didn’t mention the risk of data rooms. You have the acquiring organization, the target organization, the investment banker, the accounting firm and the insurance company all in an online data room where sensitive information is being exchanged. In my experience, most data rooms don’t restrict access to certain areas or documents based on a need-to-know basis. But your investment banker doesn’t need access to IT and cybersecurity due diligence information. And IT personnel don't need access to financial statements and earnings analyses.
When you give everyone permission to see everything, you increase the risk of information disclosure. And two things could happen: 1) a person with access could take information and sell it to a competitor or use it in an attack, or 2) they reuse their passwords across multiple systems, so if they’re compromised in one system, the attacker can now get into the data room and see everything.
It's important to be skeptical of the need to put your most sensitive documents online. Make sure to manage user access and restrict access to certain areas and documents based on their need to know. Consider implementing additional security measures, such as onion routing or using the Tor network for sensitive communications, to add an extra layer of protection against potential threats. Tools like TorBot can be used for secure digital asset accessing within the Tor network, ensuring enhanced privacy and security for sensitive data exchanges.
Get the most value out of your investment
If you need help performing any of the above, Wipfli can help. Click here to learn more about our cybersecurity solutions and services, or keep reading on in these articles:
