Mergers and acquisitions: Many organizations utilize these activities to move their business forward by expanding into different market segments or gaining competitive advantage with a unique offering.
But too often organizations move at the speed of business with the associated integration and onboarding processes. Speed can obscure critical security issues:
What happens when you’re blind to the hidden risks that lie within the acquired company’s network, workstations, and employee base?
Build-in Secure Integration Time
Operating at the speed of business is something that is hard for most security teams to avoid. Security is often viewed as an impediment to making money. During an acquisition, the faster an organization can absorb and integrate the new company, the more quickly it can take advantage of the perceived benefits. So realistically, how am I able to recommend slowing down this process? There are two aspects to consider with regard to securely integrating a new business into an existing network:Know What You’re Buying – Before You Buy
So with all of this hidden risk on the cybersecurity side, why aren’t more companies assessing this along with the financial risk calculations? Currently, there aren’t many good ways to do this. Regulatory assessments only go so far and, unfortunately, they are too often performed by companies and individuals who only see risk behind the veil of an audit methodology. Is there value in running through a checklist of questions to determine if anything about the environment is material? Sure there is. However, these types of examinations are not going to reveal the types of hidden risks I mentioned above. At CrowdStrike, our approach to M&A Cyber Risk Assessment combines a compromise assessment and cybersecurity maturity assessment that help companies gain a better understanding of their cybersecurity risk profile for years. When I break down the questions these companies should be asking themselves when looking to make an M&A transaction, the two primary ones are:If everything checks out financially and I think this car is going to help improve my life, that checks the box and I’m writing the check. We recommend companies utilize a compromise assessment to answer this first question. The goal of a compromise assessment is to look at host artifacts and network traffic to identify evidence of past or current compromise. We partner this with our Falcon Host technology, which when deployed across the entirety of the customer’s endpoints, provides us near real-time visibility into activities on the hosts. This combination of analysis and monitoring allows us to determine, with a high degree of confidence, whether an organization is currently compromised. This answers question number one and is the question that most executives should be asking today. The second question looks to the future. In an M&A situation, that future is sitting in your environment. Even if you’re not taking on the acquired company’s cybersecurity processes, technologies, or resources, it’s a good idea to understand how well cybersecurity is engrained in their corporate culture. More often than not, however, some of these processes and technologies come across in the transition. We recommend assessing the current capabilities of the company being acquired. Not only will it pinpoint potential risks, but it also helps the acquiring organization identify strengths that can be leveraged as well. CrowdStrike offers a cybersecurity maturity assessment to help organizations answer this second question. Through an assessment of people, processes, and technologies related to the primary cybersecurity capabilities of a company, we provide a maturity score in each area. This score is partnered with a view into the maturity level of others in your industry. What’s the value in this during an M&A transaction? Most organizations want to know if they’re taking on an immature cybersecurity program or a best-in-breed company. As an adversary, it’s a lot easier to compromise the companies at the bottom of the maturity scale.