Cyber Threats Targeting Mergers and Acquisitions

Recommendations

Info

Negotiations, signing (and announcements) Towards the end of the M&A process, unknown and unnecessary data leakage can occur from employees across social media and blog platforms. Organizations that lack policies, mobile device management (MDM) and endpoint protection will be particularly vulnerable. Corporations should also be mindful of personal devices used on corporate networks or Internet of Things (IoT) devices that may be insecure and also contribute to data leakage. While all employees should be vigilant at this stage, it is executives who are particularly susceptible to leaking data. Poorly secured (or compromised) personal devices, as well as the use of such devices in the workplace, can inadvertently expose sensitive documents. The real-world element also cannot be ignored. For example, threat actors may watch physical behavior and travel of executives or staff where meetings and document reviews may occur. This demonstrates the lengths to which bad actors will go in order to acquire extremely valuable information. Once an announcement is made and the typical chaos and confusion ensues as IT systems and organizations merge, the floodgates will open. Lesser actors will jump into the fray, launching phishing and spam campaigns as well as possibly hacktivist attacks and disruptions, against both organizations. Waiting period and final merge The final stage of the process – when the majority of the hard work is already done –¬ is the waiting period before the final merge. The main risk at this stage comes from employees who fear a job loss or change. Staff may draw their own conclusions, recognizing redundancies or anticipating undesirable changes to their role or responsibilities. This can lead to disenfranchised behavior, which in turn may lead to negative social media and public outcry or protest, theft of intellectual property, or worse. In addition, if an attacker has established a foothold in a merging network, this is an optimal time to observe behavior and communication between the two organizations and patiently wait for access, or utilize that knowledge for social engineering. 10
Conclusion There is demonstrable evidence to suggest that companies going through the M&A process have been targeted by malicious actors. Although specific information on threat actors targeting M&A processes is limited, clearly there is ample opportunity. A number of factors both prior to and after a successful bid by the acquiring company have the potential to degrade the acquiring company’s security posture. These include the inheritance of vulnerable network infrastructure and software and disenfranchised of employees who perceive threats to their job security or satisfaction. Further risks can be presented during the M&A process through the sharing of documents and the location of meetings if they are based in public locations. Data leakage, data loss and the use of insecure public networks are all factors that may degrade a company’s security posture. Finally, the awareness of malicious actors to the on-going bid and M&A process increases the targeting of the companies involved as malicious actors attempt to capitalize on opportunities presented by the changes happening within each company. By understanding threats that tend to occur at these various stages, organizations can be better prepared for the process. To reap the benefits of a merger or acquisition, security must be a forethought, not an afterthought. The due diligence stage allows organizations to gain a deeper understanding of what they are getting before signing on the dotted line. But regardless of where an organization is in the M&A process, it is important to remember that operational security practice can dramatically impact profitability. Throughout the discussions, and before plugging in the network cable or allowing the two networks to connect, organizations must be sure to understand what’s on the other side, and the risks present. End notes 1. http://www2.deloitte.com/uk/en/pages/financial-advisory/articles/deloitte-m-and-aindex.html 2. http://www.ey.com/GL/en/Services/Advisory/EY-cybersecurity-cyber-threat-flash-pointsmergers-and-acquisitions 3. http://www.theregister.co.uk/2016/02/24/it_manager_goes_to_jail/ 11
Page 1 and 2: Cyber Threats Targeting Mergers and
Page 3 and 4: Executive Summary Global merger and
Page 5 and 6: 2. Associated threat actors While c
Page 7 and 8: 3. Steps of the Merger/Acquisition
Page 9: Marketing Marketing plays an import
Page 13 and 14: 6. Standards and Compliance • Lis

Cyber Threats Targeting Mergers and Acquisitions

Create successful ePaper yourself

Delete template?

Save as template?