M&A Network Security Due Diligence

Everyone knows that merging to companies is all about due diligence! When companies do mergers and acquisitions, most of the due diligence is around financials and legal risks, and in many cases intellectual property, still. What I don’t see is companies focusing on the cyber and information due-diligence by digging deeper into whether the company has a breach or a compromise.

In 2017 Avast had a nasty surprise when it acquired Piriform. Hackers compromised its CCleaner application, which ultimately led to 2.27 million downloads of the corrupt CCleaner version, putting millions of users at risk. In 2018, Marriott merged with Starwood, where hackers had access over 500 million customers’ data because of a security breach on the Starwood’s network.

These will undoubtedly change the merger and acquisition processes from now on, or at least they should. If they included a focus on cyber and information security during their due diligence, I’m sure they would have been able to find at least some indication, that things were amiss.

When merging any two networks, even internal ones, there is a need to catalog and inventory; Open Audit is a good start. Also, the ISO/IEC 19770 Information Technology – IT Asset Management standard series will considerably improve accountability in a trust but verify approach.

In your proactive approach to security download the Network Security Toolkit for best of breed Open Source Network Security Applications to monitor and help secure all the networks before their merger; and make the NST part and parcel of your network security process and procedure. Another good website to visit is INSECURE.ORG; a repository of the top 125 network security tools for vulnerability scan and penetration testing, among many other useful tools and applications to help keep your network secure.

Remember it is an ugly world out there, be proactive with your security, always!

Reference: The CIO’s M&A Blog