Due diligence is a routine part of any acquisition. Buyers look at quality of earnings, intellectual property protections, pending litigation and other factors to verify if the company they’re acquiring is stable as well as able to hit financial projections that support the economics of the deal.
Cybersecurity can often be overlooked in due diligence, but it’s a business risk and readily impacts the financial performance of a deal. Think back to when Verizon saved $350 million in its purchase of Yahoo because of Yahoo’s two data breaches that affected over 1 billion accounts.
And remember when Marriott acquired Starwood and only afterward discovered the Starwood reservation database had been breached? So far, the breach has cost Marriott $28 million. And now the company is looking at a $123 million fine from the U.K.'s Information Commissioner’s Office (ICO), resulting from the EU’s General Data Protection Regulation (GDPR).
Both of these examples form a clear argument in favor of performing cybersecurity due diligence before closing on a deal. Below are five due diligence cybersecurity best practices to guide you in your acquisition process.
1. Cybersecurity risk management assessment
One of the key parts of cybersecurity due diligence is to find out if your target organization has the basic blocking and tackling in place to prevent, detect and respond to cybersecurity incidents.
For example, Wipfli takes a look at 20 top areas of cybersecurity risk management to identify information assets and risks, like whether the organization has protective controls in place to restrict unauthorized access, or a process in place to identify suspicious events and evaluate them to see if they post a real threat.
If the organization experiences an incident, do they have what they need in place to respond quickly and recover? Their response should limit exposure, involve the right authorities, take PR needs into account, be appropriate to regulations, and evaluate any potential legal course of action. Plus, they should have secure backups in place to recover from incidents like ransomware, which hold your data hostage.
2. Dark web scan
Sometimes organizations don’t know that they’ve been compromised. A dark web reconnaissance check finds outif things like proprietary information, customer data sets and credit card info, or employee password lists have already been comprised and are available on the dark web.
For example, after a government technology contractor that works with over 20 U.S. federal agencies experienced a data breach, the hacker put email correspondence and credentials for these government agencies up for a sale on the dark web, opening the auction at six bitcoins ($60,000 USD at the time).
Going to the dark web can be dangerous, as it could open you up to attack, so it’s important to rely on an experienced third-party resource to perform this check safely and in a controlled way.
3. Open source intelligence gathering
It’s not just having experienced a cyberattack that make an organization a risky acquisition. Certain practices can inadvertently disclose information that an attacker could use to plot an attack, therefore increasing the chances of experiencing a data breach — and open source intelligence gathering can find this risk publicly available information.
Perhaps surprisingly, LinkedIn can be a big danger. Companies that post their technical architecture in IT job descriptions can inadvertently inform cybercriminals of things like what server operating systems or firewalls the organization uses. Organizations that post office documents to social media can also expose username formats within the metadata of the documents, or expose other information useful in planning an attack. In many cases, an entire org chart can be constructed based on LinkedIn accounts, and a clever attacker can marry this up with employee interests and activities from Facebook to craft a spear-phishing campaign. It’s important to perform open source intelligence gathering during the due diligence stage to further discover where an organization is vulnerable.
4. Vulnerability assessment
Speaking of vulnerabilities, a vulnerability assessment evaluates an organization’s computer infrastructure and identifies whether systems are patched and current or whether they will require large investments of time and money to bring up to date.
Computer systems involve many layers of hardware and software, from the operating system to application software. All of these have vulnerabilities inadvertently built into them that are only discovered after the product is released, which is why developers frequently release patches and new versions of the software. Whenever a vulnerability is discovered, it results in a patch.
Yet organizations struggle to keep their software patched. And some willingly choose not to apply patches out of fear that a patch could break something else in an integrated system they have set up so all their computers and applications can talk to each other.
But all this takes money to fix, and if you’re acquiring an organization, you may not want to acquire one that’s going to require millions to fix antiquated and unsecure infrastructure. Outdated computer systems definitely affect the multiplier.
5. Indicators of compromise assessment
An indicator of compromise is anything that suggests there are unauthorized users or activity within an organization’s network. Common indicators of compromise include traffic to known command and control servers or signatures of known malware variants. You can perform a compromise assessment to identify these indicators in the target organization’s network. If identified, it’s a strong indicator of an active attack that warrants further investigation. If there’s an active compromise in place, remediation, recovery and breach notification costs all need to be factored into the deal.
How are you managing your data room?
When talking about acquisitions, I’d be remiss if I didn’t mention the risk of data rooms. You have the acquiring organization, the target organization, the investment banker, the accounting firm and the insurance company all in an online data room where sensitive information is being exchanged. In my experience, most data rooms don’t restrict access to certain areas or documents based on a need-to-know basis. But your investment banker doesn’t need access to IT and cybersecurity due diligence information. And IT personnel don’t need access to financial statements and earnings analyses.
When you give everyone permission to see everything, you increase the risk of information disclosure. And two things could happen: 1) a person with access could take information and sell it to a competitor or use it in an attack, or 2) they reuse their passwords across multiple systems, so if they’re compromised in one system, the attacker can now get into the data room and see everything.
It’s important to be skeptical of the need to put your most sensitive documents online. Make sure to manage user access and restrict access to certain areas and documents based on their need to know.
Get the most value out of your investment
If you need help performing any of the above, Wipfli can help. Click here to learn more about our cybersecurity solutions and services, or keep reading on in these articles:
5 questions executives should ask to assess cybersecurity readiness
10 essential ways to protect your business against cyber crime