Pratum Blog

Mergers and Acquisitions (M&A) IT Due Diligence Assessments

There has been a surge in Mergers and Acquisitions (M&A) over the past couple years, and those numbers will continue to rise. So, what should companies be looking for as part of their due diligence? For years this answer has looked something like this: “Check the financials, legal and intellectual property...” But now, cyber security practices and technologies are at the forefront of these same conversations.

The thought of acquiring a company can be very exciting. An acquisition can help a company gain a stronger foothold in a familiar market or branch out into new geographic regions. In other instances an acquisition will enable a company to add complementary products/services to diversify their portfolio. Regardless of the strategy, the goal of an acquisition is to improve the acquirer’s current state. And the target company can be seen as a means to that end.

The Impact Cyber Security Practices Can Have On Financials

If, however, a company limits itself to only focus on the target’s financials, it may become blinded by seemingly strong financial statements while overlooking cyber security risk, even though the risks posed by an existing or potential security breach could significantly impact financials far into the future. So, what does this mean to an acquiring company? Limiting the due diligence process in a way that neglects security practices and technologies could greatly overvalue the target company and pose significant risk. Without a cyber security assessment, it can take several months or even years for an organization to discover that it has experienced a security breach. If proper action isn’t taken to evaluate and assess the target’s security posture, the acquisition could become a serious failure and cost the acquiring company millions of dollars.

Cyber security and IT issues are a major risk factor for any acquisition. Buyers should engage technology / security experts to determine these risks and quantify the effect on the target’s operations, which can be significant.

Paul Juffer, CPA Managing Partner - LWBJ

Valuating a Company Based on Complete Information

It is imperative to ask the right questions and perform an appropriate cyber security assessment prior to landing a deal. From the outside, the target company may look healthy, but in reality the target’s information could be compromised, leaving only a matter of time before client data is being sold on the dark web or intellectual property is being copied and produced overseas. As the purchaser, if cyber security risk is discovered, you can use the information gained in the due diligence process to value the company at a discounted rate or you can decide to walk away entirely. Of course, it will depend on the severity of the risk. Unfortunately, if this discovery occurs after the close of the acquisition, the acquiring company will be left picking up the pieces. This is why it is so important to perform an assessment early in the process.

IT Due Diligence Assessment

An IT Assessment will consist of assessing the controls and operational effectiveness and efficiency. It is important to perform an internal assessment of IT infrastructure to assess the confidentiality, integrity and availability capabilities of connected systems. The specific areas tested should include the following:

  • Network, server, and device security, including event monitoring
  • Disaster Recovery Plans, Data Backup and Restore, and Business Continuity Plans
  • Encryption of sensitive data
  • Segregation of duties, minimal access, and other Role Based Access Controls (RBAC)
  • Physical security controls (cameras, locks, lighting, etc.)

Performing an assessment of security and risk management policies to ensure adequate controls are used to ensure information security is also a critical portion of the IT due diligence assessment. Policies to be reviewed should include:

  • IT Risk Management Program
  • Policies, Procedures, and Standards
  • Change Management
  • Vulnerability Management and Incident Response Plans
  • Vendor Management
Human Resources
  • Employee Background Check and Onboarding Checklists
  • Employee Security Awareness Training
  • Employee Transfer and Off-boarding Checklists

If you are considering acquiring a company, make sure you consider all of the factors that impact valuation, including cyber security practices and technologies. And, if you are looking to sell your company, make sure to have your own IT Due Diligence Assessment performed. This will enable you to take appropriate steps to reduce your company’s IT risk and improve the valuation of your business prior to negotiations with a suitor.

Need help with cyber security and IT due diligence?
We can help.
Cybersecurity Defense in Depth - the overall design of your defense in depth strategy is best done through a risk management approach.

A Brief History on Defense in Depth

Cybersecurity defense in depth dates to the 1990s, however it originated with the Roman Empire beginning roughly in 200 AD. Prior to this, the Romans utilized a forward defense, whereby they pushed their military into enemy territories to stop attacks before they even reached Roman soil. Forward defense ended up becoming too expensive to continue to utilize, and so largely out of necessity to bring costs down, they employed a defense in depth strategy. Their implementation of defense in depth utilized towers and fortified villas scattered across their borders. Yes, a large attacking army could overwhelm a single defensive point, however, they utilized a sophisticated information network of signals and communication. Upon attacking one tower, soldiers from nearby towers would come to join the fight to overwhelm and push the attackers back. If the attackers decided to skirt around a defense, they would find themselves facing a sortie; a defensive point attacking them from the rear. The defensive strategy proved to be successful. It was a difficult defense to breach and their costs were significantly reduced. And it helped defend Rome successfully for many years. But, eventually Rome did fall, and to some extent it was because of an ineffective implementation of their original defense in depth strategy.

Today, the defense in depth concept is receiving considerable attention, and for good reason. The idea that one cyber security defense is enough to thwart an attacker has consistently been proven to not be sufficient. Relying on a firewall to protect an application that is only used internally doesn’t do enough to ensure the application and its data are secured. If the exploit originates from within your internal network, it doesn’t matter how well configured your firewall may be.

Suggested controls to help mitigate internal cyberattacks:

  • Screen new employees using background checks and provide regular security and awareness training. Include social engineering tests into your overall security and awareness training program.
  • Utilize effective Role Based Access Controls (RBAC) that ensures separation of duties and limits their scope of access, and even consider implementing an Identity Access Management (IAM) system.
  • Enforce complex passwords and require them to be changed routinely, and even consider implementing dual factor authentication.
  • Encrypt sensitive data both in transit and at rest.
  • Implement Data Loss Prevention (DLP) tools.
  • Implement email security software that detects and filters out phishing attacks from coming in and prevents sensitive data from being sent out.

Simply having one technology or policy isn’t enough to ensure that your critical applications and data are safe. A multi-layered approach that ideally has an overlapping and redundant design is the best method of ensuring security. That way, if an attacker breaches one layer of your defense, there are many more obstacles the attacker must also overcome to compromise your business’ critical assets. Defining the best defense mechanisms, and the overall design of your defense in depth strategy is best done through a risk management approach. This includes defining what risks your business faces, determining the likelihood and impact, and running this against your risk tolerance. Understanding where your significant risks exist will help to effectively steer the design of your defense in depth strategy.

Ultimately, what you want to avoid is introducing a single point of failure to your critical assets. Strictly speaking, no one piece of your overall defense in depth design is more important than another. Having a properly configured firewall may help keep out external threats introduced from the Internet, but if you have employees who are easily fooled, and are all too eager to be helpful to anyone that may call or walk in off the street, it really doesn’t matter. It’s vital that your defense in depth design is robust and removes any single points of failure.

Defense in Depth is Important, but It’s Not Enough

Defense in depth has been around for some time and is widely considered common practice. However, the reality is that it’s often not enough. It may stop the majority of external attacks but a highly sophisticated attacker who has the ability to map out your entire defense in depth design will find a way in. There are many recommendations on how to remediate the risk of your unknown gaps, specifically at the perimeter of your network.

One such way as proposed by Frank Mong in his article Does Defense in Depth Still Work against Today’s Cyber Threats? is through adopting a zero trust security policy where access in and through a network is based on “applications, data, and user information to establish policies” rather than “port and protocol-based security”, then to couple that with an automated Advanced Threat Protection (ATP) platform that utilizes near real time threat information to adjust those policies. This defense is similar to Rome’s implementation of defense in depth, which weakened and slowed attacks. Mong goes on further to recommend using Security Information and Event Management (SIEM) tools to help if your perimeter has been breached. This is also like Rome’s implementation where they relied heavily on information to be successful. A SIEM will help identify attacks and notify your cybersecurity professionals where to target their focus. Finally, like Rome’s implementation, utilizing effective communication and defining an effective incident response plan will be vital to your overall defense in depth strategy.

Often times, defense in depth planning only includes technical controls keeping attackers out of your network, but too often the risk of an internal attack isn’t planned for, which leaves applications and data exposed and easily exploited. In summary, it’s important to take a holistic approach to defense in depth as the approach is only as good as its widest gap. It’s important to understand where these are and work to remediate them.

Role Based Access Controls

In the previous blog post Remember to Review Your Data Loss Prevention Policies, I mentioned a few things to consider before purchasing data loss prevention (DLP) products. One of which was regarding restructuring data access controls. To add a little more context to this suggestion, we will discuss some ways to handle it in this article.

The restructuring of controls can be accomplished through Identity and Access Management (IAM), which enables the right individuals to access the right resources at the right times and for the right reasons. Most organizations have tools and processes in place to control access to data. However, as employees move about the company, their access continues to grow, albeit unnecessarily. With each new role, position or promotion, new access is granted but old access is forgotten about and never reviewed to ensure appropriateness.

Limiting Access Creep with Role Based Access Controls (RBAC)

This type of access creep undermines the efforts in deploying appropriate tools that limit access in the first place. That is why it is so important for organizations to remove access that is no longer needed. To help with this challenge, organization can utilize Role Based Access Controls (RBAC). When implemented correctly and followed exclusively, RBAC is great at limiting access creep.

With RBAC in place, when a user is moved into a role, they receive only the access needed for that role. All other existing access is stripped away. Using this method requires organizations to think about each role and the responsibilities of those roles. The important thing about this approach is that organizations must be intentional about how they assign data access controls.

Sticking to the RBAC Model

Defining the roles that guide RBAC can be time consuming and challenging. If roles are not well-defined, access may either be too broad or too narrow. In these instances, administrators may find themselves struggling to decide what to do with employees who have unique roles and there becomes a tendency to grant access outside of a predefined role, which invalidates the entire model. Organizations must remain vigilant about strictly defining roles and abiding by the RBAC model.

Reviewing and Updating Access Controls

In addition to the importance of the initial role creation, access controls must be continuously reviewed and updated based on the needs of the organization. Business unit leadership should be involved in the periodic certification of access for their team members. This ensures that the need for access to data is still valid based on the current business requirements.

The goal is to encourage organizations to take a close look at their access control model and find ways to improve it. In many cases new technology isn't even required. It may be as simple as implementing a process that identifies when an adjustment to access is required. The return on investment in these situations is exponential.

Need help writing policies or auditing existing processes?
We can help.
Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.
Privacy Policy Ok