Cyber Threats Targeting Mergers and Acquisitions

Recommendations

Info

Figure 2 - The ease of access to information about individuals likely involved in M&A processes. Further information may be garnered from executives and employees within areas of business such as finance or corporate development, who may be subjected to unsolicited and even targeted emails with malicious payloads masquerading as company documents. There is no shortage of ways in which sensitive information may be exposed. For example, while the cloud is used more frequently throughout the enterprise, USB flash drive reuse is still rampant and a way to spread malware. Man-in-the-Middle malware attacks through an Internet browser can steal information the unsuspecting target innocently enters. And as evidenced in the reports of DarkHotel, there is also the added issue of traveling executives who may use unsecured wireless Internet connections while in transit or at a hotel. Such behavior can lead to system compromise and theft of personally identifiable information (PII), intellectual property, or proprietary and sensitive customer data that may be used in furthering access or attacks. All of these factors can lead to information about the deal being exposed earlier than the organization intended – information that is highly valuable to those with nefarious motivations. 8
Marketing Marketing plays an important role in the M&A process, but it can also provide clues that threat actors may act upon. These clues are not always easily visible and spelled out. In fact, to the public these marketing activities may appear as business as usual, but to a trained analyst an identifiable pattern and opportunity can emerge. Some signals might appear in the form of a company visibly slowing down its cycle of new feature releases or showing a strength in profitability but meanwhile quietly reducing staff. Such activities can leave organizations open to threats. For example, based on such clues an attacker may target someone in corporate development with a one-page company summary designed to look like an M&A document, but in reality is part of a spear-phishing campaign. Or, in cases where a reduction in staff is occurring and speculation of M&A activity begins to spread, employees who are feeling overworked and at risk of losing their jobs may seek to intentionally leak data at the expense of the organization. Due Diligence Due diligence is one of the most important stages of the M&A process; it is an opportunity for the acquiring company to carefully review the target company with a fine-toothed comb to better understand their strengths, weaknesses and risks. That said, it’s important to ask the right questions as they relate to security and integrity of the organization. For example, the company in question may have previously experienced a data breach that was either never detected or never fixed. Similar issues may include the acquisition of insecure network infrastructure and software. A failure to detect these issues at this stage could have significant long-term effects for the acquiring company. To this end, Appendix 1 provides guidelines and recommendations for organizations to understand how they can mitigate such risks as part of the due diligence process, prior to finalizing the deal. It is also important to note that, at this stage of the process, the amount of data that is shared increases dramatically and so does the risk of a data breach. As such, organizations may well experience an increase in spear-phishing attempts as attackers strive to take advantage of a surge in valuable data that exchanges hands during due diligence. 9
Page 1 and 2: Cyber Threats Targeting Mergers and
Page 3 and 4: Executive Summary Global merger and
Page 5 and 6: 2. Associated threat actors While c
Page 7: 3. Steps of the Merger/Acquisition
Page 11 and 12: Conclusion There is demonstrable ev
Page 13 and 14: 6. Standards and Compliance • Lis

Cyber Threats Targeting Mergers and Acquisitions

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?