A Due Diligente is part of any acquisition and is a process in which earnings, pending litigation, intellectual property protections and other factors are analyzed, which verify that the company they are acquiring is stable and will achieve financial projections that support the business economy. However, there is still resistance to applying Due Diligente in cybersecurity, given the likely needs of correction processes.
Cybersecurity can even be overlooked in Due Diligente, but it will bring a commercial risk that may affect the financial performance of a business. This is because there are high chances that the acquisition could inherit security risks from the company. An example is how the data room is being managed: you may have vendors, investment bank, accounting firm, and insurance company, all in an online data room where sensitive information is being exchanged. Most data rooms don't restrict access to certain areas or documents based on the need for knowledge, but your bank, for example, doesn't need access to IT information. In the same way that IT personnel don't need to access financial statements and profit analyses.
When you give everyone access to all information, you significantly increase the risk of information disclosure, and you may be vulnerable to people with access who can sell information to a competitor or use it in an attack. This also happens if you reuse your passwords across multiple systems, allowing the attacker to enter the system and gain access to everything. It's important to be skeptical about the need to protect your documents. Be sure to manage user access and restrict access to certain areas and documents based on your needs.
Some practices in Due Diligence cybersecurity guidelines are recommended to guide the acquisition process:
Cyber Security Risk Management Assessment
It is one of the main recommendations. Find out if the organization has the basic lockdown and approach to prevent, detect, and respond to cybersecurity incidents. If this organization faces an incident, does it have what it needs for a prompt response and quick recovery? The response must limit exposure, involve the right authorities, take into account public relations needs, be appropriate to regulations, and evaluate any potential legal course of action. In addition, there must also be secure backups for quick data recovery.
Open source intelligence collection (Open Source Intelligence)
It's not just the experience of a cyberattack that makes an acquisition risky. Certain practices may inadvertently disclose information that an attacker can use to plan an attack, thereby increasing the chances of a data breach occurring. Open-source intelligence gathering may encounter this risk.
An example is social networks such as LinkedIn, where companies publish technical information in IT task descriptions, which may inadvertently inform criminals about operating system routines or details of the firewall that the company uses. It is important to carry out open-source intelligence collection during the process of Due Diligence, with the objective of detecting vulnerabilities of this size.
Vulnerability assessment
After detecting the vulnerabilities, an assessment of an organization's computer infrastructure and identification of whether the systems will be updated are necessary to know if they will require large investments of time and money to be updated. Computer systems involve many layers of hardware and software, from the operating system to the application software. They all have inadvertently embedded vulnerabilities, which are discovered after the product is released, which is why developers frequently release Patches and new versions of the software. Whenever a vulnerability is discovered, it results in a patch.
Still, organizations struggle to keep their software up to date. And some choose not to apply Patches for fear that they might negatively alter another platform in an integrated system. Any erroneous modification requires money to fix, and if you're acquiring an organization, you might not want to acquire a need to upgrade an outdated and insecure infrastructure. Outdated computer systems definitely affect the multiplier.
Scan on Dark Web
An organization may have its security compromised and not know it. The scan discovers proprietary information, customer data sets, and credit card information or lists of employee passwords that have already been included and are available on Dark Web. Go to Dark Web can be dangerous, as it could open doors for attack, so it's important to have an experienced third-party resource to carry out this check in a safe and controlled manner.
Commitment Assessment Indicators
An indicator of commitment is something that suggests that there are unauthorized users or activities on an organization's network. Common indicators of compromise include traffic to known command and control servers or subscriptions to variants of malware known. You can perform a commitment assessment to identify these indicators in the target organization's network. If identified, it's a strong indicator of an active attack that merits further investigation. If there is an active commitment, the costs of correction, recovery, and violation notification need to be considered in the agreement.
TATICCA — ALLINIAL GLOBAL also provides integrated auditing, accounting, tax, corporate finance, financial advisory, risk advisory, technology, business consulting and training services. For more information, visit www.taticca.com.br or email taticca@taticca.com.br. Our company has professionals with extensive experience in the market and has certified methodologies for carrying out activities.
