Throughout the last decade, there has been an increase in cyberattacks targeting small- and medium-size enterprises with a myriad of techniques and payloads, and more than 80% of enterprise owners know they are at risk.1 Something not often discussed is what happens from a risk perspective when a smaller organization is acquired by a larger organization or agrees to represent its brand. The answer is that the attack surface changes, risk is added and acceptability becomes a matter of walking a metaphorical tightrope across the risk registry.
There are several questions to consider when deciding what risk decisions to make during an acquisition, some of which depend on the business agreement established between the 2 entities:
- What type of cyberrelationship exists between them (i.e., who is responsible for information security support, incident response, tiered support, liability)?
- Who is responsible for audit and oversight findings?
- What would the impact of a breach at the smaller entity be to the larger entity, and vice versa?
Answering these questions helps organizations determine what security programs and resources they already have at their disposal and what are their information risk factors. As a result of this expanded understanding, possible mitigation strategies become clearer.
During the risk assessment process, one may run into several risk factors that are not acceptable or find that the controls do not reduce the risk within the threshold of acceptance, in which case one must utilize a creative approach. In some cases, the IT landscape is so far out of scope that it is easier to migrate important files and wipe everything else before replacing the IT system of the smaller entity. Others choose to transfer the risk through insurance, or the risk department can choose to navigate the complexities of the situation by identifying what policies apply, what standards are used, and how incidents and risk are addressed within each business relationship. The best route for an organization to take may vary and depends on the assessment findings and organizational risk appetite.
Another option to address the changes in attack surface expansion and added risk with small- and medium-size enterprises is to enable an IT environment built with security design and architectural flexibility. Instead of favoring the longstanding confidentiality, integrity and availability (CIA) triad, one should consider reducing the attack surface by targeting specific threats using the distributed, immutable and ephemeral (DIE) model2 instead. The DIE model is a security design concept that is intent on reducing risk to the CIA of an enterprise’s networks by securing them using traditional design characteristics. For example, distributed networks are less susceptible to a denial-of-service attack, making the attack vector less of a concern. CIA remains the goal, but it is a result of secure design concepts and enhanced technological capability. When was the last time there was a serious availability issue outside of poor distributed denial-of-service (DDoS) mitigation or a faulty change to the production environment?
Securing through design is much more efficient than securing through added applications and security tools, reducing an organization’s overhead and increasing its return on investment. When it comes to business relationships in the context of acquiring additional enterprises, it is important to reduce the attack surface, risk and financial burden in the process. Mergers and acquisitions have been an emerging target of malicious cyberactors in recent years and they are always high-risk business activities.3 Shifting an enterprise’s security strategy takes time, but moving to secure design methods and incorporating best practices for identity management, cloud security and multidevice users is a must in the world in which we live today.
Securing through design is much more efficient than securing through added applications and security tools, reducing an organization’s overhead and increasing its return on investment.
If one is in the business of acquiring enterprises, creating a risk management strategy focused on both operational and informational risk that works across the risk spectrum is paramount to a successful acquisition. The ability to focus on efficiencies throughout the process and identify ways to provide the same security posture regardless of the business model or agreement chosen for the affiliate organization provides the best outcome for all parties.
Endnotes
1 US Small Business Administration, “Stay Safe From Cybersecurity Threats,” USA
2 Heller, M.; “Experts Say CIA Security Triad Needs a DIE Model Upgrade,” SearchSecurity, March 2020
3 Deloitte, Role of Cybersecurity in M&A, USA, 2021
Donnie Carpenter
Is an information security leader with more than a decade of experience across multiple security disciplines spanning security operations, threat intelligence, and risk management in both government and the private sector. He has led information security teams in operations, network defense, and risk assessment and has a passion for talent development. In his personal time, he enjoys the outdoors and spending time with his family.