04 Jun PE Hub: Cyber due Diligence: Considerations before a Merger or Acquisition
Do you have any idea how often hackers attack? A University of Maryland study says a cyberattack on average happens every 39 seconds. That’s 2,200 attempts a day, more than 800,000 a year. Countless companies — Sony, JP Morgan, Target and Equifax, to name just a few — have fallen prey to cyberthieves.
On average, a single data breach costs nearly $8 million. Worse, it takes more than six months on average for a data breach to be spotted in the first place. Many companies don’t even realize that they’ve been hacked.
So performing cyber due diligence before a merger or acquisition is essential. While your company may be top-notch in terms of cybersecurity, you have no guarantee that your target company is.
What’s at risk? Many companies significantly underestimate what a single breach can do:
- Business interruptions. While ransomware is possibly the most clear-cut example, dealing with any kind of malware leads to downtime while the virus is dug out and eradicated.
- Loss of intellectual property and other records. Whether hackers make off with proprietary information or company, employee, customer and vendor data, the fallout can be intense – and costly.
- Compliance violations. For organizations governed by HIPAA, GDPR, SEC, FINRA, NYDFS, PCI and other standards, recovering from a cyberattack is dramatically harder.
- Damage to reputation and business. This is incalculable.
Without proper preparation, integrating your target company could introduce serious issues into your organization.
So be straightforward with the target. Ask the CEO and CTO whether they’ve been hacked – but be mindful that they might not know.
Conduct the following examinations of the target, its key personnel and its major suppliers:
- Dark Web Analysis: The Dark Web, inaccessible via standard internet browsers, contains extensive data and private sites. Many breached databases, credentials, personal information, and other sensitive data can be found there. The goal is to ensure no company-related data appears there.
- Social Media Analysis: Are executives and decision makers living a “social” life? If a bad actor knows the CFO’s nickname and knows that he or she is going on vacation to a specific location, that information that could be linked to a company account’s secret questions. A well-structured social media analysis can create a risk matrix and address vulnerabilities before they escalate.
- Extensive Internet Search: Do you know what the Internet says about the company? Understanding what the market thinks is critical for your brand image and customer service. But past or current employees might also be giving away company secrets and operational knowledge.
Review the target’s information-security standards – including plans, procedures and policies. Carefully go through its incident-response methods, business-continuity plan and disaster-recovery procedures. If the target has done a cybervulnerability assessment, review the findings from any penetration testing. Then ask a separate firm to conduct new assessments.
Examine the company’s cybersecurity employee-training program. Assess infrastructure and software. Evaluate IT personnel for competence and capabilities. Monitor corporate networks and review user activity.
These steps will gauge the organization’s current state, increasing the odds that you’ll spot any issues.
Evaluate the organization for compliance and whether it adheres to a recognized cyberframework. NIST and ISO are recognized standards, guidelines and best practices designed to mitigate cybersecurity risk through increased control, proper data handling, and other essentials. If a company does not rely on a known framework, that may be a red flag.
Once the deal is set, your work isn’t done:
Do another cyberrisk assessment to review the current state of the combined organization.
Enhance IT operations, especially if any shortcomings were previously noted. Partner with a managed services provider that specializes in technical operations, compliance, and cybersecurity, to reduce overhead costs while increasing cybersecurity capabilities.
Consider implementing a private cloud and virtual desktop infrastructure solution to create a more secure environment, while enhancing mobility. This will enable you to adapt to changing personnel needs, ensuring you have the proper service level at all times.
Michael Abboud is founder and CEO of TetherView, the Oceanport, New Jersey, provider of secure and compliant private cloud solutions. Reach Michael at +1 732-898-1149, email@example.com, and www.linkedin.com/in/michael-abboud-49525aa/
The title to this blog is not going to make any of us at TetherView popular with IT Managers.
However, we think it’s addressing a sobering reality amongst business IT leaders. Most businesses large and small think of IT as being responsible for anything plugged into the wall, plus anything that is performed on a computer; following that philosophy means IT is responsible for EVERYTHING. By asking the “IT Guy” or “IT Team” to manage the copy machine, email, website, security (physical and cyber), compliance, phones, mobile phones, CRM, ERP (well, you get the picture)—your IT person will be less effective or even counter-productive to the goals and long-term strategies of a company.
The IT person has been in house for years—so what do we do? You let them focus on the company’s core business.
Here are 3 Major Reasons to outsource parts of the “IT Puzzle”:
Let’s take a step out of the IT occupational space for a minute. In the medical field, there are hundreds and hundreds of fields of practitioners and surgeons all specializing in a specific niche of medicine. By solely focusing on their area of expertise, they have the time and ability to hone in on best practices and solve complex diagnosis and patient cases. So, would you go to an Orthopedic if you needed Brain Surgery? Definitely not.
Like the medical field, the IT field is made up of countless different areas all of which require a specialist with expert skills to both innovate and effectively solve problems. Why would you put the entire scope of your IT infrastructure on one guy or a small team? We’re not saying your IT guy isn’t smart… we’re saying that the magnitude and scope of work is too great for any one man or small team to handle.
Don’t hire a generalist when you need a team of specialists.
An IT generalist will help you with anti-virus, firewalls, email and application set-up—but that’s about it. If something complex were to happen, your IT person or team is going to require external resources and research to solve the problem. Now, your company is at a standstill. In order to solve that complex issue, you need to spend money on resources that you were ultimately trying to save.
Let’s say your company experiences a ransomware breach. Your IT guy may be prepared to check servers, try to find backups or even try to recover the missing information. Once he’s burned through his checklist of skills and past experiences—he or she will likely be on Google or YouTube trying to figure out how to fix the problem.
An IT generalist is something of the past. With technology advancing faster than we care to admit, a generalist just doesn’t offer any value to a company. In fact, if you have a generalist at the helm of your IT department, you have a ticking time bomb.
Most SMBs are unfamiliar with what their IT person or team does –just ask the support team or business owner. It’s even more difficult for a business owner to gauge how well their IT person or support department is performing. The underlying question is how does a manager or business owner quantify the results and performance of an IT person / team? How does he or she know that the IT department is effectively and efficiently handling every component of their IT infrastructure? If it’s a single IT person to 2 to 3-person team there is absolutely no way they’re properly managing the architecture, stability, risk management & security, just to name a few.
IT might be the most important function in a company—more so than sales, marketing or accounting. Even with a team of three very smart IT people, how do you evaluate if the department is managed or even performing well? The sad reality is that an IT person or team will be exposed the minute there’s a breach to their company.
The most common place we see the single or small team of IT professionals fall the shortest is in long-term planning and innovation.
Most IT professionals fail when it comes to long-term planning. They’re great at handling and executing specific tasks—but few have the foresight to implement a company’s goals into a long-term plan. Part of the reason why this is a challenge for an IT person or team is because there’s never time to innovate or conduct adequate R&D for new projects. Additionally, an IT person or team’s budget is generally much lower than a company spends on marketing (read our paper on technology spend to learn how to avoid that pitfall). Finally, the disadvantage of experimenting with a poorly researched and budgeted new solution is the risk of making a troublesome, expensive, or embarrassing mistake.
Ultimately, these inherit disadvantages will come to light and the value of the department will diminish because they don’t line up with the company line of advancing in the 21st century.
So often, when we talk to a company after a major cyber incident—they always tell us how under-prepared they were. What they don’t realize is that the lack of preparation came as a result of the complexities of IT. Moreover, just because somebody knows computers, doesn’t make them the right fit to strategically guide a growing company.
At TetherView we build Digital Bunkers™ for businesses. Our specialists provide and maintain your private cloud services supporting your applications on compliant and highly secured virtual servers and desktops. Your data never leaves your Digital Bunker™ but is securely accessible by your employees on virtually any device that is connected to the internet. Our customers improve their efficiency and focus on growing their businesses, not on their IT infrastructure and cyber-security; that’s our core expertise.
Keep your IT Team in place, and let TetherView provide the infrastructure, desktops, servers, security and compliance. This will enable your IT team to deploy the technology to make your business more efficient, productive and relevant.