M&A Cybersecurity Challenges? We Asked an Expert

When companies merge or get acquired, the buyer assumes tremendous liability as a data breach can cost many millions of dollars or more. In fact, cybersecurity can be considered perhaps the ultimate landmine in the acquisition process because it can be hidden and cause a massive explosion. Moreover, just like a land mine, it is possible the injury could be severe or cause death.

Loss of customer faith, loss of revenue, loss of data and trade secrets are just some of the potential issues to be worried about.

To help you protect your organization from such challenges we spoke with Chris Hickman, chief security officer at digital identity security vendor Keyfactor. Here is our exclusive interview:

Chris Hickman, chief security officer at digital identity security vendor Keyfactor

What are the security challenges and opportunities during a M&A?

A M&A of a business unit rather than an entire business entity introduces an additional level of complexity. When buying only part of a business you have to have a clear path to cut over security context as no co-existence is usually possible.

It’s common that merging organizations have different approaches to digital identity management and differing opinions on how to secure them. This is more common when both parties already have their own public key infrastructure (PKI) environment and processes that need to be integrated. Each organization will have its own set of identities and templates that have already been deployed and their own way of managing applications.

What many organizations fail to realize is that a M&A provides the perfect opportunity to incorporate an enhanced digital identity management platform to both elevate overall security capabilities and optimize the IT project work associated with the M&A.

From a security perspective, the organizations on either side may generally lack security visibility of integrated servers and applications. Having a tool in place to detect and report on these issues can ensure that the new security team is able to quickly assess weaknesses and respond to them quickly, instead of being caught off guard by future audit findings.

When the merging organizations have multiple PKI environments, the issuing Certificate Authorities (CAs) from both environments need to be distributed to all endpoints across the combined organizations. This ensures that all certificates can be trusted. If teams miss this step, application whitelisting can fail on security devices and SSL connections to enterprise applications could fail or perform inconsistently, overwhelming the help desk. SSL interception technologies such as WAN accelerators, SSL Inspection devices and proxy servers could also cause traffic blocks if their issued certificates are not trusted by all entities.

Do these challenges extend to liability related to an unknown breach at the acquired company like Verizon/Yahoo?

Potentially. In the case of the Marriott/Starwood breach, Marriott accepted and assumed responsibility for the breach even though it happened prior to the merger. In the case of Yahoo and Verizon, past breaches at Yahoo forced a reduction in the acquisition offer price, leading to a lower valuation of Yahoo and shared liability for any litigation arising from the breaches.

What are the key areas to look at when considering IT spend for a M&A?

Having the right identity management tools in place at the beginning of the engagement can make a difference in the success of the project, especially since a M&A can open up new IT budget opportunities. Corporations realize that they will need to invest in new tools and services to complete the M&A activity. Organizations often create special integration budgets to absorb activity costs and write them off as spending related to the M&A.

When it comes to digital identities, there are three key IT spend areas specific to the M&A process:

Tools – Having the right tools in place can help minimize labor costs associated with the M&A, as well as long-term IT management costs. The right platform should make all digital identity management tasks more efficient and data more accurate.

People – Ensure that you have enough people to do the job right. Digital identities are a key piece of your overall security strategy. A M&A isn’t the time to cut corners. Ensure that you are adequately staffed to address the issues that come up and correct them. This may include bringing in consultants or additional staff during the M&A.

Security – Redesign and rebuild during a M&A provides the opportunity to make improvements. Your environment should always be more secure after a M&A than it was before. Digital identity is a key attack vector for security incidents and must be continually improved. If you are migrating your CAs during a M&A, take the opportunity to put additional safeguards in place. Here are a few examples of improvement opportunities that may present themselves:

Consider outsourcing your infrastructure to PKI management experts.
- Implement new tools for auditing and reporting of certificate use. Improved visibility of your environment for how certificates are being issued and deployed will greatly increase your ability to detect and respond to incidents quickly.
- Implement HSM technology to secure critical identities. At a minimum, this should be included the storage of your issuing CAs, as well as high-value certificates such as code signing certificates or certificates used for external facing critical systems.
- Implement a secure code signing solution. Signing your internally developed code and scripts can greatly increase your security posture. It can enable technologies such as application whitelisting and secure software deployment tools. Since code signing certificates are critical assets in your company, make sure you have a solid plan of how to manage these certificates prior to deployment.
- Improve physical security. If the M&A project requires you to move equipment, make sure that the new data center has security controls in place for best practice deployment. Secure your assets with secured cabinets or video surveillance systems.
- Implement new automation technologies to allow automated certificate management and deployment. This can be done in conjunction with DevOps projects that may kick off as a part of the integration.

Why is a M&A a perfect time to implement the proper enterprise tools for digital identity management?

Many applications will need to be moved or re-platformed as a result of the merger. Having a tool in place to quickly issue certificates and deploy them to the appropriate locations is vital and helpful in reducing or eliminating manual process that can slow down integration tasks and cause human errors.

What are the common questions about digital identity that should be addressed during early integration phases during a M&A?

The first step is always to assess what you really need to merge. This is true for all IT infrastructure. The digital identity function is commonly overlooked by organizations as unessential and many organizations often begin addressing it far too late in the process.

Here are some common questions about digital identity that must be answered early in the process:

What certificate authorities are in use? (public and private)
How are certificates issued and what is the approval process?
What certificates already exist in the environment and where are they installed?
How are code signing keys issued and secured and who has access to them?
Who has the ability and access to perform certificate management tasks?
Are any applications or infrastructure components reliant on these issuance processes for automation?
How can we establish enterprise wide trust for identities from both organizations?
How many certificates do we have in use before and after this migration? (Note: If you are currently relying on a digital identity management product that relies on per-certificate fees, this could have a significant impact on the project budget.)