Using Deception Technology to Secure the Success of M&A
M&A: Opportunity for growth—and for cyber criminals
Because they rarely provide tangible ROI, cybersecurity investments are often justified by the potential costs of not investing. M&A is one arena where these costs can be quite tangible.
In 2015, TalkTalk, the UK telecommunications and Internet provider was fined £400,000 and lost 101,000 customers when personal data of 156,959 customers was compromised, costing the company up to £60 million. Years earlier, it had unwittingly inherited unpatched servers via an acquisition. In 2016, as Verizon was pursuing the acquisition of Yahoo! Inc.’s Internet properties, revelations of security breaches at Yahoo! reportedly devalued the transaction by $350 million.
Whether your organisation is the target, the buyer, or an equal partner in an M&A transaction, cybersecurity should be a front-and-center concern because while business stakes are higher, so is your vulnerability to cyberattack. Periods of high IT volatility always create security gaps. During data center consolidation, cloud migration, geographic expansion, or even workforce reengineering, it can be difficult for any security team to keep pace with the widespread system, infrastructure, and personnel changes. Routine operations such as patch management may suffer in the process.
But beyond the general challenges associated with largescale IT change, M&A also adds:
- New threats and a wider attack surface. While acquiring the assets of another company, you’re also acquiring its risk profile, which may be new for your business. The cyber program of a healthcare provider acquiring a pharmaceutical retailer, for example, may not have been designed to address the wider range of business risks and possible threats.
- The potential to inherit dormant cyber threats. Along with the other organisation’s IT assets, you could be acquiring some serious problems that are not yet visible.
And while the infrastructure is more vulnerable, research from Digital Shadows suggests that during M&A, attackers are more likely to be waiting in the wings. It is an opportune time to profit by exploiting financial markets and intellectual property. As valuable data changes hands, there are more opportunities for a data breach. If employees are resentful or fearful of the coming changes, attackers might be more successful in finding insiders to exploit.
CISOs Need a Seat at the Table—and New Tools in Their Kit
CISOs need to be an integral part of M&A planning and execution at every stage—not just once the deal is done and IT assets need to be integrated. The security posture of the target company needs to be carefully assessed during due diligence, and a refreshed cybersecurity program for the future entity needs to be mapped out proactively.
In addition, the CISO needs new, more nimble security methods in order to help ensure that strategic business transactions are successful. Standard cybersecurity measures are never perfect; targeted attackers with a will to break in can always find a way, but during M&A it is even more urgent to be realistic about the limitations of security controls. Endpoint-based deception offers the simplest, most direct means of finding and stopping malicious activity within your environment—whether by insiders or outsiders.
Once attackers find a way in, they must investigate their surroundings to find data, user credentials, and pathways to your organisation’s “crown jewels.” Endpoint-based deception is purpose-built to exploit this process. It forces attackers to reveal themselves, allowing the organisation’s security team to take control of the attack early in the process before critical assets can be reached.
It works by placing thousands of featherweight bits of false information on systems throughout the network—data and other artifacts designed to appear useful to the attacker. When someone tries to use these deceptions—perhaps by trying to log in with false credentials or accessing a non-existent system, server, or shared file—an alert is sent to IT, forensics are captured, and defenders can monitor the attacker’s movements and take action. With Illusive, there is a 99% probability that an attacker will be detected within three lateral movements.
Defence as elastic as your fast-changing environment
With so many other projects to be done during an M&A integration, why would anyone want to undertake the deployment of a new technology?
First of all, deployment is very fast and non-disruptive. Illusive’s technology is agentless. The hard work of setting up a tailored deception environment is done for you within hours or days through intelligent automation—invisibly to end users, and without burdening IT staff. In fact, Illusive’s technology is so simple to deploy that it could easily be used in the due diligence process to assess a target company’s risk posture.
But the key value of deception in an M&A context is twofold. One, as described above, when it is known that security controls will be far less effective than usual, endpoint-based deception enables attackers operating inside the network to be caught quickly.
Two, Illusive’s deception technology is unique in its ability to seamlessly adapt as the environment is changing. It automatically discovers and rediscovers the environment so that new systems can be fitted with deceptions as they come on line. No matter where and when an attacker finds a point of entry—even if through a previously infected, “inherited” system—he or she faces high odds of immediate detection, no matter what gaps may exist in traditional defences.
During M&A periods, endpoint-based deception can also:
- Uncover hidden weaknesses. During normal business activity, ordinary and privileged user credentials get “left behind” in applications and system memory, and system-to-system connections are established where they shouldn’t be. This problem is multiplied when there is a higher-than-usual rate of role changes or employee turnover. Illusive’s discovery process reveals these risk areas and provides tools to remediate them.
- Help under-staffed security teams focus and prioritise. When resources are tight and security teams are temporarily engaged in other high-priority projects, leaders need confidence that the most business-critical resources are protected. Illusive shows attack paths and attacker activity in relation to high-value assets so stay focused on what matters most.
- Shore up insider threat protection. Malicious employee behavior tends to increase during uncertainty. Deception can detect both insiders and outsiders snooping for sensitive data or unauthorised access to systems. When suspicious activity is identified, Illusive’s forensic snapshot provides evidence and an intelligent starting point for further investigation.
M&A represents a massive opportunity for business growth. It also represents significant opportunity for attackers looking to capitalise on weaknesses in your security defences. With the right deception technology in place, CISOs and their teams can play a pivotal role in securing the outcomes of their organisations’ strategic initiatives—and take their security capabilities to a whole new level to support future business evolution.
For more information:
Visit us and subscribe to our blog at:
Email us at: