By Alastair Paterson, CEO and Co-Founder of Digital Shadows
Mergers and acquisitions can be exciting, offering companies a significant growth opportunity. According to the Deloitte M&A Index 2016, global M&A activity reached record-breaking deal values in 2015 at over $4 trillion, with the resulting transactions expected to add $1.5 to $1.9 trillion in value to participating companies.
But while mergers and acquisitions propel companies forward, the M&A process also fuels significant opportunities for cyber criminals. Failure to secure sensitive information during transitions opens the door to bad actors looking to profit by exploiting financial markets and proprietary intellectual property (IP).
Understanding the risks present during the M&A process is the first step toward mitigation. While each deal will have its own nuances, all tend to follow five general stages. Along each stage, new risks emerge — and advanced attackers, well-versed in corporate espionage techniques, stand to profit.
Here’s a brief look at each of the stages and the types of risks and possible degradations in security posture that may occur.
- Preparation for acquisition and/or valuation: Organizations are vulnerable to threats right from the start. Job listings for positions that require corporate development or other M&A-related experience, or activities like another round of funding or other initiatives to boost the company in the eyes of deal makers, can be clues that M&A activity is in the offing. Astute financial analysts may draw their own conclusions based on activity and start to comment. Meanwhile, sophisticated threat actors who have picked up the scent may target the executives typically involved with such activity with spear-phishing campaigns, man-in-the-middle malware attacks, or simply through unsecured wireless Internet connections. Not only is the deal exposed earlier than intended, possibly leading to a host of complications, but information gained can be highly valuable to those with nefarious motivations.
- Marketing shifts: As companies move through the process, they may alter their marketing behaviors. To the public, these marketing activities may appear innocuous. But to a trained eye, an identifiable pattern and opportunity can emerge. A company slowing its cycle of product announcements or showing strength in profitability while quietly reducing staff can raise suspicion, for example. Employees who have lost their jobs may start to leak information and further tip off cyber criminals, who may launch spear-phishing campaigns to confirm their suspicions and acquire valuable data.
- Due diligence: This stage of the process can provide executives with opportunities to gain significant insights to help reduce risk, but it can also provide cyber criminals with significant opportunities to steal data. The acquiring company has the chance to review the security and integrity of the systems of the company it’s merging with and understand how to mitigate risk before finalizing the deal. At the same time, both companies may experience an increase in …