Search

Share

buyer beware - merger and acquisition security (M&A)

Buyer Beware:
During a Merger or Acquisition Their Digital Footprint Becomes YOUR Attack Surface

When it comes to mergers and acquisitions, it is time turn on the heat and scrutinize corporate security practices

I came across an interesting article published by the Wall Street Journal. It discusses how private equity firms have been turning up the heat on cyber security requirements when evaluating mergers and acquisitions (M&A). Because the ramifications of security issues from an M&A target or one of their portfolio companies causes domino effect into the security posture of all their corporate assets. This may not feel like breaking news to those of us in the field, but it does bring attention to the due diligence and tougher requirements that are being set by private equity firms prior to an acquisition, to ensure that their portfolio companies are effectively monitoring their security posture. Simply put, with any acquisition or merger, their security exposures become the acquiring company’s as well.

 

“Many private-equity firms are taking a similarly serious approach to cyber,” said Chris Stafford, a partner in the mergers and acquisitions group at advisory firm West Monroe Partners LLC, “in part due to the increased visibility of—and responsibility for—cyber risk management at senior executive levels.”

Source: https://www.wsj.com/articles/private-equity-firms-tighten-focus-on-cyber-defenses-at-portfolio-companies-11673643373?reflink=desktopwebshare_linkedin

 

 

Their digital footprint is your attack surface

Today, a company’s digital footprint is universally regarded as a business risk, operationally and financially, by the organization itself and potential investment firms. Not convinced? Look at the evolution of cyber insurance requirements over the past ten years or so. So, where do you start?

 

 

You need to see and map your attack surface

The first step in evaluating your security posture is understanding your attack surface and knowing exactly where you are publicly exposed. From there, you must determine the risk of each exposure. What would the cost to the business be if a bad actor were to get in through any of those public-facing vectors?

 

The Edgescan platform maps and continuously monitors your attack surface

The first step during a merger or acquisition is to inventory all IT assets and get complete visibility over the organization’s attack surface. The external attack surface management (EASM) component of the Edgescan Platform will provide the security posture of an organization. The platform continuously scans and intelligently maps a company’s entire attack surface, identifying exposed services, shadow/lost/forgotten deployments, and rogue/unknown APIs, all without requiring any deployment or configuration. Events can be custom configured to alert on deltas found with ASM and the identified external estate can then be put into a vulnerability scanning cadence.

“Due diligence processes today are not just focused on whether a company has the right policies or governance in place. They can now include network scanning and penetration testing, where security specialists attempt to break into systems…”

Source: https://www.wsj.com/articles/private-equity-firms-tighten-focus-on-cyber-defenses-at-portfolio-companies-11673643373?reflink=desktopwebshare_linkedin

Pen testing should go beyond an automated scan

The next logical step in an in-depth evaluation of a company’s security postures is pen testing. Most solutions provide automated penetration testing which is simply a fancy way to say scanning. An effective penetration test should always be a combination of automated scanning and human curiosity to probe the business logic, humans are capable of thinking and executing in ways that cannot yet be completely automated. If you do not have the human eyes and intelligence to evaluate the output, you are simply getting an automated scan.

 

The Edgescan platform offers a truly differentiated element to pen testing – human expertise

Edgescan offers Penetration Testing as a Service (PTaaS),  which is a hybrid solution that combines the breadth of automation with the depth of human assessment. Our hybrid model not only leverages deep security expertise that comes from our technical team, but also the full stack of solutions that are part of the Edgescan platform. Our Smart Vulnerability Management Platform offers continuous vulnerability assessment, manual business logic assessment, vulnerability validation, risk rating and prioritization, remediation guidance, unlimited re-testing, and expert support. Where traditional penetration testing engagements only capture a snapshot in time, Edgescan’s PTaaS provides you with a continuous view of your risk, with the ability to demonstrate you are eliminating that risk.

Work smarter, not harder. We have all heard this saying. With the Edgescan platform, you can know the risk associated with any company asset, at any time.

See how we do it. Sign up for a demo today!