Beyond vulnerability scanning: Enhancing attack surface management for more proactive security

December 26, 2022

Cybersecurity M&A Considerations

By: Randori Blog

Share on facebook
Share on twitter
Share on linkedin

Cybersecurity M&A problems can keep security teams up at night. With good reason.

Today, change is the norm, and rapid digital transformation is a common trend for almost every organization. Whether it is migration to the cloud, the support of a remote workforce or the continual pace of M&A activity, change is relentless. The challenge for information security teams is that all of these transformations increase an organization’s digital footprint and assumed risk.  

With mergers and acquisitions, in particular, the seemingly overnight adoption of new infrastructure into the organization’s attack surface immediately increases cyber incident risk.

Adversaries are intelligent and constantly monitor the web for organizations with weak cybersecurity programs and cybersecurity postures. More than 1 in 3 organizations that announce and undergo an acquisition experience a related security breach. 

  • A recent Wall Street Journal article highlights how, after a merger event, a mid-market company fell victim to a million-dollar-plus ransom cyberattack. 
  • In November 2021, the FBI issued a report notifying companies that ransomware groups are zeroing in on “significant financial events”, such as a merger or acquisition.

To address cybersecurity M&A challenges, organizations need to understand how their digital footprint changes and take a proactive approach to mitigate new emerging cybersecurity risks. 

What Companies Need to Know About Cybersecurity M&A Challenges

When organizations merge with or acquire new companies, they take on known and unknown security risks that change their security posture.

Three high-priority cybersecurity M&A considerations:

  • Shadow IT assets. Acquiring a company’s IT assets means buying its shadow IT assets too. One in five organizations has experienced a cyber breach due to an unauthorized asset deployed by a present or former employee. 
  • Zombie assets. Improperly unprovisioned assets, accounts, and APIs can open up attack vectors after mergers happen. 
  • Different risk thresholds. Risk acceptance varies. An acquired company is likely to have a different tolerance for risk and will patch vulnerabilities and provision assets in a different way.

A comprehensive cybersecurity M&A due diligence process can help with risk assessment and risk management. However, diligence can only go so far. This is because large parts of a subsidiary’s attack surface will be unknown to the security teams responsible for reporting and cataloging them. 

Due diligence also only measures a risk at a particular point in time before an M&A process takes place. 

According to a report from Trend Micro, almost two-thirds (62%) of CISOs admit to blind spots in their attack surfaces. 

Depending on a subsidiary’s size and maturity level, it’s likely to host any number of forgotten internet-facing endpoints and servers. With at least 30% of the average organization’s infrastructure being “legacy,” it’s not uncommon for post-merger IT teams to find 20-year-old UNIX servers which are still connected to the internet.

Combating Merger Risk With ASM

Attack surface management (ASM) helps teams uncover unknown risks and communicate risks in a new way. It is a powerful tool for addressing cybersecurity M&A challenges. 

Attack Surface Management (ASM) is an effective method for security operations teams to understand their risk profile before, during, and after a merger and acquisition process takes place.  

ASM is a continuous process of monitoring potential access points, weak spots, and active attack vectors by combing through the corporation’s entire network. 

A big advantage of ASM for teams responsible for cybersecurity during an M&A event is that it helps find assets and vulnerabilities they didn’t know existed post-acquisition. ASM allows teams to constantly assess the acquiring and target companies’ surface risk—not just before a merger happens.

This is important because many of the assets that come with M&A are outside the scope of what security teams know about during the due diligence process. Around one-third of the assets connected to a corporate network are unknown to the IT teams tasked with securing them. These assets increase the risk of cyber threats for the company that acquires them.

At the same time, M&A strategies can dramatically alter organizations’ operating environments. For example, an organization that uses Linux servers might end up integrating into a Windows-led environment after a merge. It doesn’t help that security staff and leadership typically change, too, depriving security teams of vital network knowledge. 

With ASM, defenders can overcome these challenges and build a better picture of what’s on their network after a merger. ASM allows defenders to better understand how their organization’s breach risk has changed and what new pathways for potential attacks have emerged. 

Attacking Risk During M&A

Randori gives organizations a way to gain insight into how they manage cybersecurity M&A challenges.

Although sorting, classifying, and evaluating digital assets with ASM can help security teams see how their attack surfaces evolve during and after a merger event, many teams will still struggle to prioritize their remediation efforts. 

The reality of M&A transactions is that they burden already overstretched teams with more responsibilities, often introducing an overwhelming amount of new vulnerabilities. The average organization hosts 31,000 security vulnerabilities.

For every 1,000 assets within an organization’s attack surface, there is often only one that’s fascinating to an attacker. These are not great odds for security teams trying to pin down and fix attack vectors and cybersecurity issues after a major event like an M&A. 

To help security teams understand risk and other cyber security considerations for mergers and acquisitions, Randori Recon is an ASM tool that lets security teams look at their attack surface from a threat actor’s perspective. 

Reducing Cybersecurity M&A Risk With Randori

For example, to help teams reduce cybersecurity M&A risks, Randori’s Saved View capability allows security teams to see legacy infrastructure that might be forgotten during a merger event. With Randori, organizations can monitor for networks and domains that, although supposed to be decommissioned, are still active. 

This allows security teams to find the unknown, abandoned, and already compromised assets that often come with acquisition events.

Then, once Randori finds vulnerable assets, Randori’s patented Target Temptation tool gives security teams the ability to know which assets require mitigation first. Our platform looks at assets in terms of how severe their vulnerabilities are and how likely hackers are to attack them. 

Going through M&A? Get a better picture of the assumed risks your organization faces with Randori.

Gain an Attacker's Perspective

Uncover your true attack surface with the only ASM platform built by attackers. Stay one step ahead of cyber-criminals, hacktivists and nation-state attackers, by seeing your perimeter as they see it.