An undisclosed data breach can dramatically alter any merger or acquisition. Mike Campfield, VP, Global Security Programs, ExtraHop, explains how cyber audits are now standard practice and how companies make recommendations based on the strength of a cybersecurity programme.
Enterprise Security is never just a problem for the security team. With every breach it creeps further and further out into the other parts of the business. A new ISC2 survey has revealed that cybersecurity is becoming a cornerstone of mergers and acquisitions (M&A) and that poor security can seriously damage the likelihood and price tag of a deal.
The report, entitled Cybersecurity Assessments in Mergers and Acquisitions, surveyed 250 professionals with expertise in M&A to find their thoughts on how cyber considerations affect such deals.
Firstly, every single respondent reported that cyber audits are now a standard practice. Three quarters of respondents – 77% – said that they make M&A recommendations based on the strength of the cybersecurity programme. At the very least, we can say that cybersecurity impinges upon M&A.
Some respondents went even further. For 86% of respondents, a publicly reported breach would take a bite out of the acquisition price. However, if the acquirable company has responded to the breach appropriately, paid its fines and reinforced its security posture, then the price may actually go back up.
But those that hide or miss breaches will be given no such consideration. Nearly half – 49% – of respondents said that the discovery of a previously undisclosed breach has derailed deals they were involved in.
Perhaps the best example of this is the acquisition of Yahoo in 2016. By the early 2010s, Yahoo’s star had fallen considerably. It had gone from one of the largest, most important tech companies in the world in the 1990s to a Silicon Valley back runner, long overtaken by its younger rivals. It had refused an offer by Microsoft to buy the company in 2008 for over US$44 billion, claiming such a price was a significant undervaluation of the firm. In 2016, Verizon came along with another offer, reflecting the once-great company’s latter-day woes, for US$4.83 billion – a large number but still just over an 11th of what it had been offered less than a decade earlier.
A few months after Verizon’s offer, Yahoo publicly disclosed that it had suffered a breach in late 2014, which had exposed 500 million user accounts. That was one of the largest breaches ever, and then things got much worse. Later in 2014 Yahoo admitted it had suffered a breach that compromised at least one billion users – the largest breach ever recorded.
Verizon had to look at its offer again. Not only was Yahoo now worth less, Verizon would also have to deal with the potential legal implications. The repercussions that would come from not only being vulnerable to the breach but concealing two of the largest breaches ever recorded from the public would be shared between the two companies.
In August 2016, Verizon announced that it would continue with its acquisition of Yahoo but for US$350 million dollars less than initially offered. It got off lightly by the judgement of many of the ISC2’s survey respondents.
It works both ways though. The effect of a merger or acquisition on an enterprise’s security is considerable too.
Post-merger the new single entity often finds itself saddled with the infrastructure of two different organisations that have been designed for only one. Such a predicament produces several complications. Among them is tool sprawl. When two environments collide, they bring their security tools with them and chances are they already have too many. A 2018 survey by Forrester showed that over half- 55% of organisations – juggle at least 20 tools between security and operations teams. The end result is wasted money, redundant tools and a spotty, inconsistent security posture. The collision of two massive datasets causes similar problems, creating massive unknowns and bloating an enterprise far beyond the bounds of its original perimeter.
Still, the bottom line to cybersecurity’s impact on M&A whether it’s before or after the deal actually goes down, is that being able to see and understand your own environment is paramount. It takes an average of 206 days for most enterprises to actually discover a breach, let alone contain it, according to the Ponemon Institute. That yawning gap between intrusion, discovery and containment threatens to derail plenty of deals or at least take a huge bite out of an asking price.
In order to keep those deals running smoothly, organisations should think about how they can gain visibility into their own environment. In 2015, then-Gartner security researcher Anton Chuvakin coined the term “SOC (Security Operations Centre) visibility triad,” a combination of three data sets which, according to Chuvakin, “seeks to significantly reduce the chance that the attacker will operate on your network long enough to accomplish their goals.”
The visibility triad consists of three tools relying on three different data sources.
● Endpoint Detection and Response (EDR) uses software agents to monitor data on endpoint or host machines.
● Security Information and Event Management (SIEM) tools aggregate and analyse self-reported activity logs.
● And Network Detection and Response (NDR) monitors real-time network traffic. The network has been long neglected as part of many enterprise’s security strategies, which has allowed breaches to lie undetected for far too long.
Over the last few decades, many enterprises have focused on perimeter defence, believing that they can build walls high enough to fend off any attacker. In the meantime, attackers have gotten very good at getting past those walls. From there, their job gets very easy.
Those final stages of attack are where just such an attacker does all the damage, gets close to the critical systems and also where they can effectively hide, given the blind spots that exist in so many organisations. Network detection and response is the missing piece from the SOC visibility triad at many organisations. Organisations that fill this gap make it much easier for themselves to maintain and demonstrate a clean bill of cybersecurity health when a potential merger or acquisition arises.
As long as successful M&A deals rely on healthy cybersecurity, they will rely on network visibility. Nearly half, 42%, of ISC2 respondents felt that over the next two years, the importance of cybersecurity would only increase in M&A. In fact, 82% added that the strength of features such as security training programmes, risk management awareness and the overall health of an organisation’s security posture would only increase the value of a company when it came time to sign on the dotted line. Increasingly, the cornerstone of a good security posture and now M&A is network visibility.
Click below to share this article
