M&As a hotbed for hackers and cybercriminals

With breaches of cybersecurity now one of the most looming threats for the sustainability of most Australian businesses, many are wondering how best to protect their operations.

Simple things like regularly changing passwords and ensuring absolutely everybody changes them can go a mile towards strong cybersecurity Just see the case of Port Phillip Publishing for a riveting tale of how hackers can hop into your system without even being inside your building .

But there are certain periods where your business is especially vulnerable.

According to the Australian Cyber Security Centre (ACSC), mergers and acquisitions periods are form hotbeds for cyber-criminal activity.

"In short periods of time new relationships need to be established, new business processes need to be integrated and systems need to be stood up, merged, relocated and decommissioned as capabilities are moved and consolidated," says ACSC in its Mergers, Acquisitions and Machinery of Government Changes research paper published in July 2019.

One of the major cyber security threats during M&A periods aren't the systems themselves, but the people operating them.

"During major organisational change, staff may find they are under pressure to accept the validity of requests for data, payment or access from people they don't know, and cannot easily verify the identity and authority of. Adversaries use this pressure to increase the likelihood of successfully using techniques such as business email compromise and CXO impersonation," says ACSC.

"The problem is further exacerbated if the organisations participating in major organisational change are geographically separated even more so if the separation crosses national borders or cultural boundaries."

Another hurdle for businesses undertaking a major merger or acquisition is the modern problem of data.

Businesses are now built on data, numbers, files and facts, and these sensitive, company owned data files are integral to the success of companies as a whole.

ACSC's advice for data migration during M&A is to ensure that the new location for the migrated data is secure, that trusted staff are used to oversee the transfer, and to use approved checks and balances to ensure that data has not been compromised or corrupted during the transfer process.

Once transferred, ACSC says that organisations will then need to consider who will become the new system owner of the migrated systems.

"They will also need to consider who will accept the security risks before authorising the operation of the system in accordance with the organisation's cyber security framework, including any additional security risks and technical debt resulting from the migration," says ACSC.

ACSC's position on M&A and the risks entailed is reflected by Forescout's global M&A cybersecurity risk survey.

According to the survey, 53 per cent report their organisation has encountered a critical cybersecurity issue or incident during an M&A deal that put the deal into jeopardy.

After closing the acquisition, 65 per cent experienced buyers' remorse, regretting the deal due to cybersecurity concerns.

Forescout's chief technology officer Julie Cullivan says M&A can be a potential 'trojan horse'.

"Cybersecurity assessments need to play a greater role in M&A due diligence to avoid 'buying a breach.' It's nearly impossible to assess every asset before signing a deal, but it's important to perform cyber due diligence prior to the acquisition and continually throughout the integration process," says Cullivan.

The survey also found that only 37 per cent of IT decision makers at companies strongly agree that their IT team has the skills necessary to conduct a cybersecurity assessment for an acquisition. Due to lack of resources, organisations must allocate outside resources to their cybersecurity assessments and/or may not be able to complete a robust assessment.

LandMark White is one company that has recently been through the wringer, and on Friday came out the other end posting a $15 million loss on the back of two periods of suspension from its major clients following two widely publicised data breaches.

As part of LandMark White's commitment to upholding stringent cybersecurity measures following these two breaches, the group has turned to ACSC's 'The Essential Eight'; eight baseline strategies that makes it harder for adversaries to compromise systems.

The Essential Eight are summarised below:

Application whitelisting of approved and trusted programs to prevent the execution of unapproved/malicious programs including .exe, DLL, scripts and installers. Why? All non-approved applications, including malicious code, are prevented from launching on your computer systems.
Patch applications like web browsers, Microsoft Office, and PDF viewers within 48 hours. Why? Security vulnerabilities in software like this can be used to executive malicious code on systems.
Configure Microsoft Office macro settings to block macros from the Internet, and only allow vetted macros either in 'trusted locations' with limited write access or digitally signed with a trusted certificate. Why? Microsoft Office macros can be used to deliver and execute malicious code on systems.
User application hardening: configure web browsers to block Flash (ACSC recommends uninstalling it completely), ads, and Java on the internet. Disable unneeded features in Microsoft Office, web browsers and PDF viewers. Why? Flash, ads and Java are popular ways to deliver and execute malicious code on systems.
Restrict administrative privileges to operating systems and applications based on user duties. Regularly revalidate the need for privileges. Don't use privileged accounts for reading email and web browsing. Why? Admin accounts are the 'keys to the kingdom'. Adversaries use these accounts to gain full access to information and systems.
Patch operating systems: patch/mitigate computers (including network devices) with 'extreme risk' vulnerabilities within 48 hours. Use the latest operating system version. Don't use unsupported versions. Why? Security vulnerabilities in operating systems can be used to further the compromise of systems.
Multi-factor authentication including for VPNs, RDP, SSH and other remote access, and for all users when they perform a privileged action or access an important (sensitive/high-availability) data repository. Why? Stronger user authentication makes it harder for adversaries to access sensitive information and systems.
Complete daily backups of important new/changed data, software and configuration settings, stored disconnected, retained for at least three months. Test restoration initially, annually and when IT infrastructure changes. Why? To ensure information can be accessed again following a cyber security incident (e.g. a ransomware incident).