How M&A ac­tiv­ity can open the door to cy­ber threats

Kuwait Times - - TECHNOLOGY - By Alastair Pater­son, CEO and Co-Founder of Dig­i­tal Shad­ows

Merg­ers and ac­qui­si­tions (M&A) can be ex­cit­ing, of­fer­ing com­pa­nies a sig­nif­i­cant plat­form for growth. Ac­cord­ing to the Deloitte M&A In­dex 2016, global M&A ac­tiv­ity reached record-break­ing deal val­ues in 2015 at over $4 tril­lion, with the re­sult­ing deals ex­pected to add $1.5 to $1.9 tril­lion in value to these com­pa­nies. But while merg­ers and ac­qui­si­tions pro­pel com­pa­nies for­ward, the M&A process also fu­els sig­nif­i­cant op­por­tu­ni­ties for cy­ber crim­i­nals. Fail­ure to se­cure sen­si­tive in­for­ma­tion dur­ing this time opens the door to threat ac­tors look­ing to profit by ex­ploit­ing fi­nan­cial mar­kets and pro­pri­etary in­tel­lec­tual prop­erty (IP).

Let’s just take a closer at the Mid­dle East in terms of its M&A ac­tiv­ity. The Mid­dle East M&A ac­tiv­ity recorded 75 deals worth US$29.9bn in 2016, jump­ing 2.3x by value com­pared to 2015 (71 deals, US$13.1bn). The oil and gas sec­tor, along with the food and bev­er­age, trans­porta­tion, tech­nol­ogy and util­i­ties and en­ergy sec­tors had a high share of cross-bor­der trans­ac­tions.

The ac­qui­si­tions by com­pa­nies based in Saudi Ara­bia fol­lowed by Qatar and UAE ac­counted for the ma­jor­ity of overseas ac­qui­si­tions with tech­nol­ogy be­ing the most ac­tive sec­tor of Mid­dle Eastern M&Ain­volve­ment. As per the pre­dic­tion of an ATKear­ney re­port, over the next 12 months, it is ex­pected that MENA and in­ter­na­tional M&A mar­kets will con­tinue re­main ac­tive. Com­bine that with the ex­plo­sion of big data and the preva­lence of cor­po­rate data se­cu­rity breaches, the fail­ure to eval­u­ate cy­ber­se­cu­rity risks quickly turn a great op­por­tu­nity into an un­mit­i­gated fail­ure.

Un­der­stand­ing the cy­ber risks present along the M&A process is the first step to­ward mit­i­gat­ing the risk. While each process will have its own nu­ances, all tend to fol­low five gen­eral stages. Along each stage new risks emerge and ad­vanced at­tack­ers, well-versed in cor­po­rate espionage tech­niques, stand to profit. Here’s a brief look at each of the stages and the types of risks and pos­si­ble degra­da­tions in se­cu­rity pos­ture that may oc­cur.

Prepa­ra­tion for ac­qui­si­tion and/or val­u­a­tion

Or­ga­ni­za­tions are vul­ner­a­ble to threats right from the start. Job list­ings for po­si­tions that re­quire cor­po­rate de­vel­op­ment or other M&A-re­lated ex­pe­ri­ence, or ac­tiv­i­ties like an­other round of fund­ing or other ini­tia­tives to boost the com­pany in the eyes of deal mak­ers, can be clues that M&A ac­tiv­ity is in the offing. As­tute fi­nan­cial an­a­lysts may draw their own con­clu­sions based on ac­tiv­ity and start to com­ment. Mean­while, so­phis­ti­cated threat ac­tors who have picked up the scent may tar­get ex­ec­u­tives typ­i­cally in­volved with such ac­tiv­ity with spear-phish­ing cam­paigns, man-in-the-mid­dle mal­ware at­tacks, or sim­ply through un­se­cured wire­less In­ter­net con­nec­tions. Not only is the deal ex­posed ear­lier than in­tended, pos­si­bly lead­ing to a host of com­pli­ca­tions, but in­for­ma­tion gained can be highly valu­able to those with ne­far­i­ous mo­ti­va­tions.


As com­pa­nies move through the process they may al­ter their mar­ket­ing be­hav­iors. To the pub­lic these mar­ket­ing ac­tiv­i­ties may ap­pear in­nocu­ous. But to a trained eye an iden­ti­fi­able pat­tern and op­por­tu­nity can emerge. A com­pany slow­ing down its cy­cle of prod­uct an­nounce­ments or show­ing strength in prof­itabil­ity while qui­etly re­duc­ing staff can raise sus­pi­cion. Em­ploy­ees who have lost their jobs may start to leak in­for­ma­tion and fur­ther tip off cy­ber­crim­i­nals who may launch spear-phish­ing cam­paigns to con­firm their sus­pi­cions and ac­quire valu­able data.

Due dili­gence

This stage of the process can pro­vide ex­ec­u­tives with op­por­tu­ni­ties to gain sig­nif­i­cant in­sights to help re­duce risk, but it can also pro­vide cy­ber­crim­i­nals with sig­nif­i­cant op­por­tu­ni­ties to steal data. The ac­quir­ing com­pany has the chance to re­view the se­cu­rity and in­tegrity of the sys­tems of the com­pany they are merg­ing with and un­der­stand how to mit­i­gate risk be­fore fi­nal­iz­ing the deal. At the same time, both com­pa­nies may ex­pe­ri­ence an in­crease in spear-phish­ing at­tempts as at­tack­ers strive to take ad­van­tage of a surge in data that ex­changes hands dur­ing due dili­gence.

Ne­go­ti­a­tions, sign­ing and an­nounce­ments

Or­ga­ni­za­tions that lack so­cial me­dia poli­cies, mo­bile de­vice man­age­ment and end­point pro­tec­tion may find data leaked in­ad­ver­tently as the end of the M&A process ap­proaches. While all em­ploy­ees should be vig­i­lant at this stage, ex­ec­u­tives are par­tic­u­larly sus­cep­ti­ble to leak­ing data. Poorly se­cured per­sonal de­vices and the use of pub­lic Wi-Fi to re­view doc­u­ments while on the road or in meet­ings pro­vide bad ac­tors with am­ple op­por­tu­nity to steal high-value data. Once the an­nounce­ment is made, the doors will open even wider and less so­phis­ti­cated at­tack­ers will also try to profit or cause dis­rup­tions.

Wait­ing pe­riod and fi­nal merge

The main risk at this stage is from em­ploy­ees who fear a job loss or change and may leak IP or other data. If an at­tacker has es­tab­lished a foothold in a merg­ing net­work, this is also an op­ti­mal time to mon­i­tor com­mu­ni­ca­tions and pa­tiently wait for deeper ac­cess or uti­lize that in­for­ma­tion for so­cial en­gi­neer­ing.

Clearly, vig­i­lance is re­quired at all stages of the M&A process, as a fail­ure to se­cure sen­si­tive in­for­ma­tion con­sti­tutes both a threat to the or­ga­ni­za­tion and an op­por­tu­nity for bad ac­tors. In­di­vid­u­als’ be­hav­iors, un­in­ten­tional clues and vul­ner­a­bil­i­ties in in­her­ited net­work in­fra­struc­ture and soft­ware can all open the door to cy­ber risk. How­ever, or­ga­ni­za­tions armed with these in­sights can bet­ter un­der­stand the threats they face and mit­i­gate ac­cord­ingly. Given the value to be gained once the com­pa­nies are com­bined, it’s safe to say that en­sur­ing suc­cess­ful in­te­gra­tions will be a pri­or­ity on board­room agen­das. Se­cu­rity, both dur­ing the M&A process and after the deal is closed, will play a cen­tral role in pos­i­tive out­comes.

Alastair Pater­son

Newspapers in English

Newspapers from Kuwait

© PressReader. All rights reserved.