The pace of business is faster than ever. Organizations are reassessing their operating models and considering mergers and acquisitions to quickly expand both their workforce and service offerings. While these mergers and acquisitions can be a positive catalyst for progress, the urge to rapidly close deals and return to business operations can sometimes outweigh ensuring proper security measures are in place.

The current M&A process is fundamentally flawed. Cybersecurity is often dismissed, and organizations have no idea what kind of exposed IT assets are being inherited from the other company. To safeguard M&A activity, CISOs and security teams must have a seat at the table to implement proper IT visibility.

Know before you own - prioritize asset inventory

M&A adds substantial risk to organizations since what is being bought from an IT risk perspective is truly unknown. This risk applies to most companies as they have no concept of how much of their old, deprecated, complicated (and inherited) information sits on the internet. In my experience helping hundreds of organizations secure their attack surface, most cases show that 30-40% of their internet-connected assets were previously undiscovered. This kind of exposure creates unprecedented opportunities and access for attackers.

To successfully tackle M&A activity, the attack surface must be known – for all entities involved. Attack surface management (ASM) provides a true inventory of how an enterprise’s digital assets look before, during, and long after an M&A process. Inventory of digital assets and risks on those assets through ASM must be prioritized.

Cybersecurity compliance checks fall short

Before an acquisition takes place, cursory compliance checks to get the deal approved do not actually verify the true state of digital assets and their risks. Within a singular company, the attack surface is constantly changing and increasing, and as a result, the acquired company themselves usually doesn’t know all the assets they own. Highlighting this flux, research shows that an average of 20% of an organization's cloud attack surface will be taken offline and replaced with new or updated services in a single month. Because of this, the compliance reports being sent to the acquirer, though done in good faith, are incomplete and do not document the true risk the acquirer would be inheriting.

Compliance checks need to be completely rethought and reprioritized for businesses to ensure attack surface security. Failing to do so can have negative consequences. In 2017, PayPal had to suspend operations of their newly acquired company, TIO after millions of their customers had personal information stolen in a data breach. Proper security compliance checks – with actual security professionals – take time, and add length to the deal process, but are needed long-term.

Security visibility can’t stop post-acquisition

After the acquisition takes place, tracking must be done continuously to ensure assets are being integrated as planned in a secure manner. I once worked with a company in the airline industry that had assets from a defunct brand found on the internet more than a decade after the acquisition closed. It is critical to have full visibility into the security of all moving parts through the power of ASM, because there are numerous operational challenges enterprises face post-deal. Security is complicated because the threat landscape is escalating, and threat actor tactics are constantly evolving.

Visibility and control must be the emphasis and goal for all involved – and throughout the entire M&A process. Attack surface management solutions emulate an attacker’s perspective, providing comprehensive views of all entry points and assets, vulnerabilities, and attack vectors. A successful ASM strategy is incredibly comprehensive – starting with discovery and mapping of entry points and where assets lay and followed by reviewing these for vulnerability or potential risk. From there, security teams can prioritize – and remediate if they must – to streamline the complex processes we see associated with M&A movement.

Full visibility gives enterprises the best chance at minimizing blind spots during the inherently difficult and vulnerable process of merging two enterprises. This includes identifying vulnerabilities, determining where sensitive data lies and who has access to it, uncovering active or previous breaches, and revealing any non-compliance with security policies. Only prudent organizations that collaborate and recognize the important role security teams play in developing concrete attack surface management strategies will prosper in M&A endeavors.