Your organization’s leadership is 12 times more likely to be the target of a security incident and nine times more likely to be the target of a data breach than they were last year. Find out how they can be protected.
Read the Datasheet
Gift Cardsharks: The Massive Threat Campaigns Circling Beneath the Surface
Learn about the attack group primarily targeting gift card retailers and the monetization techniques they use.
Get the Report
Threat Hunting Workshop Series
Join one of our security threat hunting workshops to get hands-on experience investigating and remediating threats.
Attend an Upcoming Workshop
Inside Magecart: New RiskIQ & Flashpoint Research Report
Learn about the groups and criminal underworld behind the front-page breaches.
Threat Hunting Guide: 3 Must-Haves for the Effective Modern Threat Hunter
The threat hunting landscape is constantly evolving. Learn the techniques, tactics, and tools needed to become a highly-effective threat hunter.
When it comes to cybersecurity, mergers and acquisitions (M&As) are like a marriage. When two companies walk down the aisle together, one’s cybersecurity problems become the other’s baggage—whether they disclose it or not.
The first half of 2018 saw $2.5 trillion in mergers in the US. Companies are grappling to understand what this boom means for their online presence.
Today’s brands are no longer responsible for just their network. They’re also responsible for what falls outside their firewall, as well as the firewall of any companies they acquire. All of the company assets that extend from within the corporate perimeter all the way out to the entire internet are known as a digital attack surface. They are a collection of far-flung client-facing assets that hackers can discover in research for their threat campaigns.
Many of these assets are valuable to hackers purely because they’re valuable to customers. Digital channels are the predominant method of customer engagement for many organizations, bringing an explosion of publicly facing web sites, mobile apps, third-party code, servers, and social media accounts. Consumers spent $517 billion online with U.S. merchants in 2018, up 15 percent from $449 billion spent the year prior, according to Internet Retailer’s analysis of the U.S. Commerce Department’s total retail sales figures.
Meanwhile, cyber gangs like Magecart pummeled global e-commerce retailers like British Airways and Ticketmaster, as well as smaller brands, breaching over 319,000 online stores last year.
But there are many reasons why organizations don’t get the full picture of their cyber vulnerabilities in the pre-acquisition (due diligence) process. The first is the sheer scale of a company’s digital presence. It is not uncommon for a large organization to have thousands (or tens of thousands) of active websites and other public-facing assets. While IT and security teams in a to-be-acquired company will have an asset register of web sites, we have found that it is almost always a partial view of what actually exists. The more decentralized an organization’s IT activities are, the more significant a delta we see here.
A recent report by West Monroe Partners found that businesses lack qualified cybersecurity talent during an M&A: “80 percent of companies said cybersecurity issues have become highly important in the M&A due diligence process. But 40 percent of acquiring businesses said they discovered a cybersecurity problem at an acquisition after a deal went through, indicating that standards for due diligence remain low.”
One of the highest-profile examples of the lack of visibility in the due diligence phase was Verizon’s discovery of Yahoo!’s riddled past. Yahoo had two data breaches, one in mid-2013 where hackers stole data on three billion users and one in 2014 that saw 500 million accounts breached. Verizon only discovered this after executing an acquisition agreement to acquire Yahoo!. Verizon dropped its offer price by some $350 million after they understood the scope of the breach.
When evaluating a target company from an M&A standpoint, failing to understand the cybersecurity risks inherent in their digital channels can be risky for the acquiring company. It could lead to:
Such cybersecurity risk assessments all too often get overlooked or marginalized in the pre- and post-acquisition process. What security teams need to know when merging with or acquiring their next company:
The first step is to understand that you are responsible for every digital asset a company owns when you acquire it, whether they disclose it or not. This includes rogue social media pages from ten years ago. It includes the WordPress site that got ditched before the company formally launched. It even includes the old landing page for a product launch from five years ago.
When acquiring only part of an organization, like a line of business, it is essential to identify and document the transferred assets. This would also include digital properties like brand assets, domains, and social accounts. Without a thorough understanding of what currently exists, companies can miss critical digital assets that later result in ownership and security issues.
It is imperative to understand where these rogue assets are so you can fix them! The cyber risks associated with the target company’s digital footprint represent a potential threat to a company’s operations and brand reputation alike.
A merger and acquisition process usually involves a due diligence exercise focused on all aspects of a companies business, including IT. IT due diligence engagements in the past were focused on identifying assets and security issues material to the valuation process, like business processing and reporting systems and the hardware and networks that supported them.
As businesses and consumers have both moved outside the perimeter and onto the open internet, it’s now vital that assets outside the firewall are reviewed and accounted for to get a full understanding of the company’s digital attack surface.
Here’s what your digital attack surface includes:
We’ve found that cybersecurity teams often struggle to cut through the noise and figure out what’s most important to look for when entering an M&A. Here’s a simplified checklist:
Answers to these questions can help direct resources to the areas needing immediate attention. They also help security teams quantify the scope of work required to bring acquired digital assets under management from a security perspective.
No longer do we need to accept the unannounced baggage under the umbrella of network vulnerabilities. We have tools and technologies that can scan the internet to manage your vast digital attack surface, help you make more informed decisions promptly, and understand what true digital attack surface management looks like.
It's near impossible to hide online. Even ‘stealth’ executives are at risk for serious security breaches https://t.co/MRKhZbAW7i
Nick Gicinto,Vice President, Executive Guardian @RiskIQ on stage #SINETCanada #cybersecurity @FSToronto, @SINETConnection
Automation: the key to fighting cybercriminals https://t.co/dkx9Y3NApF
Coming to CyberHub Summit? Find out how RiskIQ's internet-wide visibility and unmatched data are helping the c-suite cope with a rapidly changing cybersecurity landscape https://t.co/IMaU5tLJfc
Today! Visit us at booth #1486 at #GSX2019 to find out how RiskIQ #ExecutiveGuardian is giving today's top executives a continuous 360-degree view of their attack surface.