M&As: Understanding the digital attack surface

In cyber-security, mergers and acquisitions (M&As) are much like a marriage. One company’s cyber-security problems become another company’s baggage – whether they disclose it or not. Between January and March 2019, the Office for National Statistics (ONS) revealed that the value of M&As involving UK companies was £912 million[1]. Companies are grappling to understand what this boom means for their online presence. Fabian Libeau, EMEA VP at RiskIQ comments

The digital attack surface

Organisations are no longer responsible for just protecting digital assets in their network, but also those assets that sit outside the firewall on the open Internet, including those owned by any acquired organisations. Company digital assets that are discoverable on the Internet form part of an organisation’s digital attack surface. While they are created for customers and prospects to engage with, they are also discoverable by malicious actors whether they be cyber criminals or nation states.

The digital attack surface is comprised of known, unknown and rogue assets. Known assets are inventoried and managed, such as corporate websites and servers and the applications running on them and tend to be regularly assessed for security weaknesses. Unknown assets cover infrastructure outside the purview of the security team, often created outside the normal channels by the business in response to changing business requirements – commonly called Shadow IT – and forgotten digital assets and uncatalogued assets from acquisitions. ‘Rogue assets’ include malicious infrastructure spun up by threat actors, such as a branded phishing site or mobile application.

Digital channels have become the predominant method of customer engagement for many organisations, generating assets valuable to customers and hackers alike. As a result, we see an explosion of cyber-attacks against public facing websites, mobile apps, third-party code, servers, and social media accounts. In fact, today, three out of four successful breaches originate on the Internet.

Lack of visibility

It’s not uncommon for a large organisation to have thousands of active websites and other public-facing assets, and even if IT and security teams in a to-be-acquired company have an asset register of web sites it almost always offers a partial view of its actual digital presence.

A lack of visibility in the pre-acquisition (due diligence) phase can significantly impact the value of an acquisition. If a company’s history of cyber-security issues is discovered after executing an acquisition agreement, this can affect the offer price, as well as future legal liability associated with the transaction. A lack of qualified cyber-security talent during an M&A can often be the cause of missed cyber-security issues during the M&A due diligence process – despite its huge importance.

Know the risks

When evaluating a target company from an M&A standpoint, failing to understand the cyber-security risks can be risky. It could lead to a potential misrepresentation of the company’s overall valuation, due to lack of clarity regarding the internet-facing assets, or a lack of planning to address ongoing security risks as the two organisations integrate.

When merging with, or acquiring a company, it’s important to know what the business is responsible for in order to protect the firm and the deal. The first step is to understand that the business is responsible for every digital asset a company owns when it acquires it. If the acquiring company’s security practices are less robust, the weaknesses that result become weaknesses in the overall attack surface.

When acquiring only part of an organisation, such as a line of business, it is essential to identify and document the transferred assets. This includes digital properties, such as brand assets, domains, and social accounts. Without a thorough understanding of what currently exists, companies can miss critical digital assets that later result in ownership and security issues.

Protecting assets and deals

The M&A process often involves a due diligence exercise focused on all aspects of a company’s business, including IT, but when it comes to cyber risks organisations often struggle to understand what’s most important to look for. Asking the right questions can help direct resources to the areas needing immediate attention and also help security teams quantify the scope of work required to bring acquired digital assets under management from a security perspective. Questions could include: are there insecure forms collecting personally identifiable information (PII)? Have any assets been compromised and, therefore, represent an immediate exposure? Are infrastructure elements patched and up to date or is there a systemic issue that indicates poor Internet hygiene.

Mitigating risk

Ultimately, the cyber risks associated with a target company’s digital footprint not only represent a financial risk in the transaction, but also a potential threat to a company’s operations and brand reputation. Finance directors must ensure they budget to invest in technologies and services that can discover, inventory and manage the vast digital attack surface. Only then will organisations be able to make more informed decisions promptly and understand what true digital attack surface management means.

[1] https://www.ons.gov.uk/businessindustryandtrade/changestobusiness/mergersandacquisitions