Cybersecurity

As companies make deals, cyberattackers prepare to pounce

The acquired company often has some security controls to catch up on, one IT pro says.
article cover

Beast01/Getty Images

3 min read

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

Like Vince Vaughn and Owen Wilson indulging themselves at your expense on what was supposed to be the happiest day of your life, threat actors love to crash a union.

Mergers and acquisitions attract cyberattackers, according to tech pros who spoke with IT Brew, and businesses that lack a full understanding of their target partner’s security posture face costly risks.

“These target organizations: Maybe they’re startups, maybe they’re smaller. Thinking about risk management is usually something that comes later in the stage of a company,” Stephen Boyer, co-founder and chief innovation officer at risk-management provider Bitsight, told IT Brew.

In an August midyear assessment, cyber risk management and insurer Resilience revealed that vendor-driven claims were the fastest-growing area in the company’s portfolio, and now “the fastest growing cause of loss.”

“Some of the past year’s most devastating cyber incidents involved heavily interconnected systems or recently acquired companies,” the report’s authors explained.

CISOs have the challenge of knowing their partner’s security posture and are “not always fully understanding [the] cyber risk that’s outside of their direct realm of control,” Ann Irvine, chief data and analytics officer at Resilience, said during a live online presentation on September 12.

Other insights from the midyear cyber claims report:

  • 35% percent of claims originated in a vendor failure in 2023. In 2022, the percentage of claims originating from a vendor failure were just under 20%. In 2024 the claim percentage has already reached 40% and is “expected to grow.”

Sue Bergamo has overseen merger and acquisition sales as global CISO and CIO at BTE Partners. She cited two important frameworks that help her to figure out if a company has controls in place:

  • ISO 27001 offers orgs guidelines on security controls in 14 domains, including access control, supplier relationships, and cryptography.
  • The Cybersecurity Maturity Model Certification (CMMC), supported by the Department of Defense, offers a checklist of security controls in areas like flaw remediation, privileged remote access, and role-based training.

“Everybody’s excited about that deal on both sides. You kind of have to put the brakes on and say, ‘Let’s really take a look under the cover,’” Bergamo told IT Brew adding that her due diligence for CEOs is often specific to systems and applications.

While Boyer finds the frameworks useful in demonstrating security maturity, he also warns that controls change: A database may have been configured correctly at attestation time, and misconfigurations can occur years later.

Boyer recommends external attack surface management tools—what market-intel firm Gartner defines as “the processes, technology, and managed services deployed to discover internet-facing enterprise assets and systems and associated exposures,” including misconfigured public cloud services and servers, exposed credentials, and third-party code vulnerabilities.

“You’ve got to watch and monitor over time. From the time that deal is announced to the time that deal is closed, to the time most things are integrated, you’re going to have people trying to attack and exploit, which is outside potentially the scope of any of those attestations,” Boyer said.

Top insights for IT pros

From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.

I
B