Don't Buy a Breach: Ten Cybersecurity Red Flags to Look for During M&A Due Diligence
(This article originally appeared last month in Forbes.)
We’ve heard the pundits’ criticism: Marriott should have known better. The hospitality company’s recent and well-publicized security breach occurred when hackers exploited network-security vulnerabilities in its Starwood division, a subsidiary that Marriott purchased only three years ago. And actually, it’s the news of the breach that’s recent. The breaching itself began in 2014.
With the benefit of 20/20 hindsight, it’s easy to cast the first stones: In 2016, Marriott purchased a company with compromised infrastructure, and then unknowingly integrated that compromised network into its own infrastructure. The Marriott story doesn’t paint a pretty picture of traditional castle-and-moat security. (“Ignore that extra drawbridge.”)
Instead of piling on further, let’s instead learn from Marriott’s experience. (We in the cybersecurity industry should never let a breach go to waste.) This is a mergers and acquisitions (M&A) object lesson and highlights the crucial role cybersecurity validation and audits must play during the due-diligence phase.
In that spirit, below are 10 cybersecurity red flags for companies assessing acquisition infrastructure. If your target meets any of these criteria, it’s probably a good idea to start digging. It’s fair to assume its network may be vulnerable to attack:
- Missing, Weak, or Poorly Documented Security Practices
Start with adherence to (and procedures based on) the latest NIST Cybersecurity Framework, ISO 27001, and SOC 2, and if you’re publicly traded, Sarbanes-Oxley (SOX). That compliance reporting should include documented, readily-accessible, and easily-understood policies and procedures. No documentation can signal poor information asset protection.
- No Audit History
Can the company claim SOX compliance? When was the last SOX review? Does the company practice cadenced cybersecurity audits? Absent audit trails can suggest an undisciplined approach to information management and could even introduce legal vulnerabilities in the case of a subsequent breach.
- Poor Inventory-Tracking
How well does the company track its assets, both tangible and intangible? (One tip: “It’s probably in the data lake” is not a good answer.) It’s difficult to flag theft if you don’t know what’s at risk of being stolen in the first place. Request a hardware asset inventory, application inventory, and data-asset inventory (with classification levels).
- Poor Application Tracking
It’s any-time-of-the-day-o’clock. Do you know where your users are? What apps are they using? Do they bypass firewall proxies to connect directly to them? At a bare minimum, your target IT department should have comprehensive visibility to user app access (whether it can control that access or not).
- No Defined Security Boundary
Traditional hub-and-spoke networks are difficult enough to secure in the first place -- even when you have a defined perimeter. It should go without saying that an undefined or uncontrolled network boundary is often as secure as no boundary at all. (And yet we have to keep saying it.) Instead, there should be a readily-accessible, well-articulated network architecture design document that clearly defines identifiable security ingress and egress points with clearly-defined boundaries.
- Reliance on Remote Local Admin
An organization with users with remote local administrative privileges isn’t less secure at face value. But couple that with a lack of centralized privileged account management and you have a recipe for both complex resource management and even exploitation. You’re also vulnerable to the hit-by-a-bus scenario: When privileged users leave the company, you could lose access to remote assets. I recommend looking for a stated policy directive blocking remote-admin access to local email and internet-browsing, as well as enabled multifactor authentication (MFA) for local admin privileges.
- No Multi-Factor Authentication
In my opinion, there’s little to debate here: MFA is more than a must. It’s a bare minimum for a secure threat posture. Any company without it is less secure than one employing at least a dual-evidence authentication mechanism.
- Underfunded or Undefined Security Budget
It’s hard for some of us in the CISO community to believe, but this question must be asked: What’s your cybersecurity line item? Companies without a defined, detailed cybersecurity budget (or low investment in cybersecurity) may unintentionally obscure more than poor accounting.
- Lack of Architectural Discipline
How well-defined is the company’s security architecture? Can you trust that scanned diagram on the PowerPoint slide? Has the company integrated its own acquisition infrastructure, or is it running duplicate systems? Poor discipline in managing security architecture -- including change-management tracking -- can suggest poor oversight and hint at potential vulnerabilities with legacy systems. Signs of good discipline include having an easily understandable, detailed network architectural design document outlining the company's network infrastructure, security stack, data-system integrations (with classification) and a well-defined technical reference model.
- Poor Integration with Business Processes
How siloed is the company? Is cybersecurity tailored to the way employees actually work? How well do policies address remote, cloud, and mobile access? If end users “go rogue” and bypass corporate security, it may be because network security models don’t support the way those users prefer to work: direct connection via Starbucks Wi-Fi instead of via a slow, VPNed, backhauled journey through a distant corporate firewall gateway.
Should network infrastructure vulnerabilities block a potential corporate acquisition? Sometimes. But the better question to ask: How do you account for infrastructure-vulnerability risk when you're valuing a potential acquisition? As Marriott’s example suggests, identifying red flags is essential to M&A due-diligence success. That is, as long as IT is empowered to wave those red flags along the way.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Stan Lowe is Global CISO at Zscaler