The Acquired Breach: How to Spot Cyber Risk in Your Acquisition
Your company just acquired another business and things are great. Your market cap is growing, shareholders are happy, and teams are working hard. Then, you get a call that makes your stomach turn. Your team has uncovered an ongoing breach in the company you just acquired.
Your world changes immediately.
Think the acquired breach can’t happen?
Marriott’s executive team experienced just this in September 2018 when their teams uncovered an ongoing breach in a Starwood guest database . Marriott uncovered the breach after 4 years when an alarm was triggered as the attackers tried to exfiltrate data.
The roots of the breach may date back to an incident in 2014 where a restaurant Point-of-Sale system was infected, spreading through the company network. Understandably, there is limited evidence after 4 years to trace the source of the attack, however, the current breach was ongoing before Marriott acquired Starwood in 2016 .
Often in acquisition diligent companies have said “we had a breach, but we fixed it”. We used to take that statement at face value and move on because the cost of breach was low relative to the cost of prevention. In this case, two years later in a world with heightened sensitivity to cybersecurity, that decision came back to bite Marriott.
How can you prevent the acquired breach?
A few simple steps taken by the acquiring company could have identified this issue before it became a disaster:
1) Trust but Verify: Hire a 3rd party to perform assessments and audits.
Set your cybersecurity posture early. Hire a reputable 3rd party to perform IT, Cybersecurity, Risk and Compliance assessments to create a risk baseline. This risk baseline will be your backstop when you need to prove what was in place pre-acquisition. You will be able to show improvement from the initial baseline thereby easily demonstrating improvement.
2) Find and fix policy gaps between entities
All companies have Security Policies, right? It is critical to lay the policies of both the buyer and the acquisition and align or merge them. This is no minor feat. If there is a match in IT capability on both sides, it is likely the policies will line up to a large extent. If there is a mismatch caused by size, regulation or other driver, the gaps will likely be more significant.
3) Identify and monitor risky data immediately
Demand an inventory of data assets early in the process. Databases, Cloud repositories, servers, e-mail, marketing lists, HR systems, box, google docs and others are all sources of potential risk. Pay close attention for:
- Datastores with more than 500 individuals’ records,
- Intellectual property
- Regulated information
If your organization doesn’t have a handle on where data lives you are at risk, you just don’t know how much and can’t see it.
Hackers can lie in wait for months or years before executing their plan. Starting with the risky data, systematically scan, test and remediate risks around sensitive data. If you don’t have the capabilities internally, hire a 3rd party early in the process to apply a systematic, risk-based approach to protecting your new data assets.
Marriott is the most visible of a new wave of breaches with more to come. As large companies acquire smaller companies with less capability and budget for infrastructure, the acquired breaches will continue to grow. The acquiring companies are bigger targets for hackers and the media, so these infections which may go un-noticed in small companies become front-page news once acquired.
Going into any acquisition is an exciting and nervous time. Don’t let unknown cybersecurity concerns add to the complexity. A combination of up-front diligence, strategy and monitoring will help mitigate much of the risk and will have positive benefits on your business.