M&As a hotbed for hackers and cybercriminals
22 July 2019, Written by David Simmons
With breaches of cybersecurity now one of the most looming threats for the sustainability of most Australian businesses, many are wondering how best to protect their operations.
Simple things like regularly changing passwords and ensuring absolutely everybody changes them can go a mile towards strong cybersecurity Just see the case of Port Phillip Publishing for a riveting tale of how hackers can hop into your system without even being inside your building .
But there are certain periods where your business is especially vulnerable.
According to the Australian Cyber Security Centre (ACSC), mergers and acquisitions periods are form hotbeds for cyber-criminal activity.
"In short periods of time new relationships need to be established, new business processes need to be integrated and systems need to be stood up, merged, relocated and decommissioned as capabilities are moved and consolidated," says ACSC in its Mergers, Acquisitions and Machinery of Government Changes research paper published in July 2019.
One of the major cyber security threats during M&A periods aren't the systems themselves, but the people operating them.
"During major organisational change, staff may find they are under pressure to accept the validity of requests for data, payment or access from people they don't know, and cannot easily verify the identity and authority of. Adversaries use this pressure to increase the likelihood of successfully using techniques such as business email compromise and CXO impersonation," says ACSC.
"The problem is further exacerbated if the organisations participating in major organisational change are geographically separated even more so if the separation crosses national borders or cultural boundaries."
Another hurdle for businesses undertaking a major merger or acquisition is the modern problem of data.
Businesses are now built on data, numbers, files and facts, and these sensitive, company owned data files are integral to the success of companies as a whole.
ACSC's advice for data migration during M&A is to ensure that the new location for the migrated data is secure, that trusted staff are used to oversee the transfer, and to use approved checks and balances to ensure that data has not been compromised or corrupted during the transfer process.
Once transferred, ACSC says that organisations will then need to consider who will become the new system owner of the migrated systems.
"They will also need to consider who will accept the security risks before authorising the operation of the system in accordance with the organisation's cyber security framework, including any additional security risks and technical debt resulting from the migration," says ACSC.
ACSC's position on M&A and the risks entailed is reflected by Forescout's global M&A cybersecurity risk survey.
According to the survey, 53 per cent report their organisation has encountered a critical cybersecurity issue or incident during an M&A deal that put the deal into jeopardy.
After closing the acquisition, 65 per cent experienced buyers' remorse, regretting the deal due to cybersecurity concerns.
Forescout's chief technology officer Julie Cullivan says M&A can be a potential 'trojan horse'.
"Cybersecurity assessments need to play a greater role in M&A due diligence to avoid 'buying a breach.' It's nearly impossible to assess every asset before signing a deal, but it's important to perform cyber due diligence prior to the acquisition and continually throughout the integration process," says Cullivan.
The survey also found that only 37 per cent of IT decision makers at companies strongly agree that their IT team has the skills necessary to conduct a cybersecurity assessment for an acquisition. Due to lack of resources, organisations must allocate outside resources to their cybersecurity assessments and/or may not be able to complete a robust assessment.
LandMark White is one company that has recently been through the wringer, and on Friday came out the other end posting a $15 million loss on the back of two periods of suspension from its major clients following two widely publicised data breaches.
As part of LandMark White's commitment to upholding stringent cybersecurity measures following these two breaches, the group has turned to ACSC's 'The Essential Eight'; eight baseline strategies that makes it harder for adversaries to compromise systems.
The Essential Eight are summarised below:
Business News Australia
Author: David Simmons