Why security needs to be involved early during mergers and acquisitions

M&A security can often be overlooked during deal making, leading to potential incidents down the line. Here's how UK newspaper Racing Post dealt with three acquisitions in three years, each with its own security requirements.

CSO  >  secure mergers + acquisitions / handshake offer / extended hand / security shield / circuits
pixtum / Getty Images

As an industry that is now largely dependent on online services to survive, security should be a key part of every media outlet’s business strategy. A disruption to service or a compromise of customers’ information could be catastrophic in a highly competitive and oversaturated industry where reader loyalty is often low.  Yet according to Akamai’s state of media security report, only 1% of survey respondents indicated they are “very confident” in their current security measures.

As a company that suffered a data beach, UK newspaper Racing Post underwent its own rethink around security strategy, while also navigating three acquisitions that could potentially have been problematic if approached in the wrong way.

How a data breach made Racing Post reevaluate its security 

Launched in 1986 by UAE Prime Minister and Emir of Dubai Sheikh Mohammed bin Rashid Al Maktoum, Racing Post is a publisher dedicated to the horse and greyhound racing industries as well as sports betting. In addition to a daily print newspaper, the Post runs websites and apps dedicated to delivering content to racing enthusiasts, bettors and bookmakers, and racing and bloodstock professionals.

While the Post is best known for its newspaper, the company’s CSO, Johan Pieterse, explains that is only about 10% of what the business does. He describes the post as a content provider serving up content on 30 years’ worth of horse-racing data along with a growing amount of greyhound racing information via print, web, and other digital formats via APIs and B2B content globally.

“We consume data and we then manipulate that data. We add our flavor to it to give more value to customers we provide that content to,” says Pieterse.

Pieterse was appointed CSO in February 2019 and is responsible for physical security as well as information security and compliance. Prior to joining Racing Post in 2013, he held various IT roles in South Africa at TopLink Technologies, RealConnect and Samsung, before coming to the UK and joining Siemens.

Pieterse joined the Post as head of operations and was made head of security the same year after a security incident lead the company to reassess how it approached security. “On day one [at the Post] I went to the IT director and asked when the last time we had a pentest, and he told me 2007. He said don't worry, it’s all fine, no one is ever going to hack the Racing Post, there's other more important things to worry about. Ten months later we started our afternoon discussing how we can resolve the breach we had of our database of people.”

The attack started with an attempt to brute-force passwords on one of the company’s servers. Despite attempts to remedy the issue, the attacker managed to extract the names, addresses, passwords and telephone numbers of over 650,000 customers. Although the company avoided a fine from the ICO, it did highlight the need for a new approach to security.

After being made head of security and assessing the Post’s security posture, Pieterse settled on implementing ISO 27001 as framework for how it approached security. “It was quite an interesting and challenging time taking the business through that,” he says. “We have the NUJ [National Union of Journalists] in our business, and we had to go through that process get them to buy-in around doing all different security policies and what we were going to do and what we were going to monitor.”

Today the Post’s security team is “lean and mean,” according to Pieterse, and dedicated to defending the crown jewels of customer data along with the content it delivers.

Buy-in from the top

Getting buy-in from the top has been important to help the company become more security-minded and follow the processes Pieterse has put in place — despite pushback from some staff. “One of the biggest sticking points was ID badges. We're in an open-plan office and we were sharing offices with another company, and we wanted to know who was on the floor. People didn't want to wear their ID badges because for the last 15 years they never had to and now suddenly here's Johan saying you have to wear one. 

To counter that reluctance, he went to the CEO asking for more public backing. As well as leading by example by wearing his own ID badge, the CEO explained that if bookmakers – a key set of partners for the post – all wear ID badges, why shouldn’t they?

The company’s developers also had to go through a change as the company moves to designing with security in mind. The company has integrated GitHub scanning into its processes, and so every time the Post’s developers commit to branches, the code is scanned to highlight any issues. Code scanning is also performed in pre-production, and once a year the company brings in external pen testers for all of its products.

“It was a change of mindset they had to get. We have taken them through awareness courses of what is the right thing to do, how to develop securely,” says Pieterse. “They know if they don't code and do security by design, it's going to get picked up by the scanner and then they're going to have to do the work over again,”.

“When we started off, there was a lot of pushback and [us] saying 'no sorry that code's not good enough.' Slowly they started getting better and better and better, and now we very rarely get anything being pushed.”

This security-up-front mindset has also been applied to the company’s architects, and this has led to faster development. Projects don’t have to be halted to have security bolted on after the fact. “Now they think it as part of the whole design process. it's not an add-on anymore. Where in the past -- talking about now five years ago -- pretty much everything got stopped, had to go back and get redone again.”

Merger-and-acquisition security can be complex

Merger-and-acquisition (M&A) security can often be a challenge and not considered until the last minute. However, as demonstrated by the Marriott data breach last year, failure to perform cyber due diligence can be costly.

Racing Post has made three acquisitions in the last three years – UK marketing agency ICS Media, Australian racehorse breeding and training publication ANZ Bloodstock News, and a majority stake in Apsley Group, which provides betting apps and sites. Each acquisition came with its own level of complexity, and each time security became involved in the process earlier.

“The first acquisition was probably the most interesting one because we were told last about it. ‘Oh, by the way, we bought a company yesterday.’ There was no involvement from the security side of it,” says Pieterse.

Luckily for Pieterse and the Post, it was a small company with less than a dozen employees, so the work to assess the company’s security posture, make changes where necessary and then integrate wasn’t as difficult as it might have been.

“The next company came along and because of the experience [of last time] we said we need to be involved much earlier in this process. The next company was about 25 employees, so slightly bigger, and they had some established systems. We started off by understanding what they had, documented everything, did the gap analysis, and looked at where we could start merging systems and where we needed to bring it up to spec and then bring it across to our environment. That took about a year to get all right, to get everything in place and make sure we are GDPR compliant and then start bringing them across.”

The third acquisition was probably the most complicated and in need of most work, but luckily security was brought in even earlier in the pre-sales and due-diligence stage to understand how the company approached data and security. “The last one we did, you’re over 100 employees, two separate legal entities having four different email systems. It was very clear from the beginning it was going to be a challenge.”

As well as working to consolidate the four email systems into one, a lack of enforced password policies, data being stored as publicly available Google Docs, the company being bought had been buying refurbished laptops without giving thought to software licensing or whether the hardware had been properly wiped and secured.

The Post is currently six months into what it predicts will be a two-year effort to bring the new company’s data and security posture up an acceptable level before it can be fully integrated. “A lot of people think you buy another company, you just add them on and that's it,” says Pieterse. “It's not that simple, they don't realize the amount of work that is involved.”

“You have to go have a look and see what exactly they have and what are you going to do to get to a comfortable place, and then start bringing them into the group. When the merger is actually happening, what is actually involved, how do you merge the data, etc.?”

CSOs should advise the business on risk, not bear the burden

The average tenure of a CSO is incredibly short. A report from analyst firm Enterprise Strategy Group (ESG) and Information Systems Security Association (ISSA) estimated the average CISO stays in a role for between 24 and 48 months, with breach or security incident often hastening a departure. However, in Pieterse’s view, the burden of responsibility shouldn’t only fall on the CSO.

“When the breach happened six years ago, everybody was pointing fingers at IT saying you didn't do your job. I wanted to get away from that situation,” says Pieterse. “The way I see it, I'm a consultant to business. I consult and advise the board. The business makes the decision on what they want to do. If you want to make a decision I think is not right, you’re telling me you are accepting these risks and you have the appetite to take this risk as a consequence. There's no point in me taking everything on my shoulders.”

Pieterse says he has the full backing of the board and the CEO, but when it comes to communication, he keeps it as simple and jargon free as possible. “I don't talk about the actual technicalities of the risk. I present how it's going to impact the business from a reputational and bottom-line point of view,” he says. “I explain what the risk is about, this is the impact it's going to have on our reputation and on the bottom line if it happens, these are the options to mitigate this risk, and this is the impact that will have on the bottom line to mitigate this. Bring it back to business logic, because that's what they talk and that's what they understand.”

Related:
Get the best of CSO ... delivered. Sign up for our FREE email newsletters!