We are witnessing a tremendous wave of mergers and acquisitions involving companies of all sizes. In the first half of 2021, an “epic”number of assets were completed worldwide, followed by a “rapid summer” of numerous M&A activities. Figures published in September show that global mergers and acquisitions have risen to a record $3.9 trillion. However, this seemingly positive economic news comes with a technological catch: mergers and purchases can be extremely dangerous from a cybersecurity perspective. Companies don’t just buy another company; they also take on their security problems, vulnerabilities and risk profiles. Accordingly, it is not unlikely that numerous companies are currently sitting on ticking time bombs. As a result, security teams and CISOs must be proactive to fix problems before they occur.
The Data Risks In Mergers
When one company buys another, the processes almost always involve integrating systems and the transfer of data. When two companies merge, many companies carry out a “lift and shift” procedure in which the data is transferred to their servers. Unfortunately, this data is not always adequately audited and is often unstructured and unclassified, posing many risks. For example, some data could be exposed to employees and contractors who should not have access, increasing the risk of insider threats. If you consider that mergers often involve restructuring, the risk becomes clear: If employees who, for example, B. facing an exemption, have extensive access rights, they may be tempted to
Another challenge is files whose permissions are broken during the takeover process and thus become invalid. As a result, administrators or users can have too much access while other employees cannot access necessary data. Although the latter does not pose a security risk, it impairs productivity. Shadow administrators who have obtained unauthorized privileged access without the security team’s knowledge are also problematic in this context. These accounts can make admin-level changes and cause tremendous damage. This makes them a popular target for external attackers.
Inactive user accounts can also pose a risk. If a company transfers data and reports using Lift & Shift, many versions of former employees are often shared, sometimes also privileged user accounts. These are also preferred targets for hackers: If they succeed in compromising just one of these accounts, they have extensive access rights – without anyone noticing.
Migrating data that has been insufficiently or incorrectly categorized poses a very high risk. Mergers and acquisitions often involve the transfer and release of thousands, if not millions, of documents. Without a way to automatically categorize their content, it’s impossible to know which documents are sensitive and contain proprietary or confidential information. As a result, companies face fines under the General Data Protection Regulation (GDPR) if they disclose sensitive personal data documents.
Finally, the added risk is that a company undergoing data migration has already been compromised. In this way, the new owner invites attackers into his inner sanctum (his infrastructure). Some of the most prominent data breaches in recent years stem from this. The attackers had been in Starwood’s systems since 2014 before Marriott took over the company in 2016 and thus imported the attack. With devastating consequences: Several hundred million data records were disclosed. The company’s reputation was permanently damaged, but Marriott also had to pay a fine of 20.4 million euros for violating the GDPR.
How The (Data) Fusion Can Succeed Safely
Gartner describes mergers and acquisitions as a “challenging transformation for an organization”: “The inability to manage the integration of cybersecurity practices comes with its risks,” the analysts note. “Security and risk management leaders must ensure proper due diligence and consider cybersecurity implications throughout the process.”
The first step for a CISO in a merger is to create an M&A playbook that can be used repeatedly. This playbook should provide clear guidance on reviewing and migrating data to reduce the cost and risk of M & M&A.
Ideally, CISOs should be involved early in the due diligence process. This allows them to assess whether the mergers and acquisitions will result in a security breach while identifying potential problems before they escalate into more significant crises.
General checks should be carried out before the migration: For example, is the company already working according to the Zero Trust model? In other words, the question should be asked whether there is a least-privileged approach? How much is personal data likely to be transferred in the data transfer?
The “inherited” data should be classified, especially when stored in unstructured storage such as email, cloud storage, and NAS devices. The classification process provides insight into whether the organization appropriately manages sensitive information. It also clarifies the risk of a data breach and shows whether a security breach has already occurred.
All user accounts must be identified to identify those a hacker could use to steal data. This is especially true for executive accounts, service accounts, and other privileged accounts. In addition, the folder structure of data stores should be analyzed to verify the permissions for each folder before removing overly broad permissions and identifying overly exposed data. Data should be locked down before migration begins using an audit strategy outlined in the M&A Playbook.
Even after the migration, those responsible for security should continue to monitor the new data, paying particular attention to privileged accounts. The ingestion of a large amount of new data into an organization’s systems can dramatically increase the blast radius of a ransomware attack, causing devastating damage. In this way, company takeovers can quickly become significantly more expensive – not to mention damage to reputation. Therefore, eliminating data risk as soon as possible should be an essential part of any M&A process.