M&A activity can create cybersecurity holes, ACSC warns

Business mergers and government restructuring foster organisational upheaval that can create “significant and unique challenges to cyber security”, new guidance from the Australian Cyber Security Centre (ACSC) has warned.

In a newly-published best-practice guide, Mergers, Acquisitions and Machinery of Government Changes, the ACSC flagged the unintentional effects of business reorganisation – creating, for example, new opportunities for social engineering “and other low sophistication methods” as staff learn their way through new relationships and business processes.

Differences in the two organisations’ security postures may be glossed over in the enthusiasm for the merger, with functional and procedural differences creating gaps through which cybersecurity adversaries can creep.

Systems can be misconfigured; data “disclosed to people without a need to know, stored in places without adequate protection or used in ways which expose it to new, and previously unconsidered, security risks”; and prior compromises of one organisation can provide a vector into the second organisation when systems are interconnected.

Those and other risks reflect a very real consequence in the wake of merger and acquisition (MA) that, a recent Deloitte analysis noted, “continues to surpass expectations” after four consecutive years crossing the $US3 trillion ($A4.3t) mark.

A third of respondents said speed and certainty around closure are key factors when choosing a buyer, while 69 percent of companies said they were considering MA activity to acquire ‘disruptive’ innovation-led companies in areas like fintech, AI, robotics, and cybersecurity.

Such firms are seen as valuable not only for avoiding being disrupted by rivals, but to address market disruption, change business models, enter new markets on the back of innovative technology and processes, and create completely new markets enabled by innovative technology and processes.

Yet, despite the optimism of MA participants, Deloitte noted that “the difficulty level of achieving successful divestments is increasing”.

Mergers of disparate organisations introduce a whole host of complexities, exacerbating challenges that technology leaders have already been reporting as increasing business control over infrastructure and application decisions prises control away from the IT organisation.

Business-led software procurement is causing integration headaches, the recent IBRS-TechnologyOne 2019 Enterprise Software Report found, as organisations rush to consolidate or replace systems and data-protection considerations get lost in the crush.

Within the context of an increasingly stringent data governance, risk and compliance (GRC) climate, even the most time-sensitive companies must address those complexities to ensure a smooth merger.

To manage security risks during a data migration, the ACSC guide recommends that organisations ensure that both source and destination environments are adequately secured for the type and classification of data being used.

Organisations should use two trusted staff to oversee data transfers and ensure the data is sent where it’s supposed to go; use algorithmic checksums to ensure data is transferred correctly; and ensure data is appropriately stored at the destination.

Cloud storage can provide an intermediate step as long as appropriate data-security protections and controls are maintained, while physical data transfers should be managed by “trusted staff” and storage media “sanitised” once the transfer is complete.

The guide also outlines clear technical controls to observe during data migrations, ranging from management of file-system permissions and review of business rules to protection against errant Microsoft Office macros and decommissioning old data holdings.

Copyright © 2019 IDG Communications, Inc.

7 hot cybersecurity trends (and 2 going cold)