"Not
all companies heed the warning. A security consultant for one victim,
who spoke on the condition of anonymity because of nondisclosure
agreements, said that his client chose not to act on a tip from Area 1
last year out of concern that a scandal over a successful online attack
against the company would jeopardize its recent acquisition. It figured
its acquirer would not have been thrilled to learn that the start-up’s
proprietary technology was now in Chinese hacker’s hands." - NYTimes
This is one area where information security does not get enough attention. When a larger company purchases a smaller company or organization. How much due diligence is taken to ensure that the acquisition target hasn't been already been compromised? What steps are taken to ensure that the intellectual property of the acquisition target is secure and not already in the hands of the adversary? It maybe worth the while to hire a 3rd party to audit and hunt the network to ensure that there isn't APT already in the network.
There are implications when the acquisition target is discovered to be compromised. Does this impact the valuation? It likely does. This will also impact integration efforts. Some M&A's assume cost savings that result from the merger. Do some of those savings come from IT consolidation efforts? Depending on the extent of the compromise, you may never be able to integrate the network into your corporate environment. Depending on the capabilities of the attackers it can takes years to expunge them from the network. Or in extreme cases the existing infrastructure will need to be destroyed and built from the ground up.
One of the reasons why I believe this doesn't get enough attention is hinted in the article. Much of this is not in the public domain. For every breach disclosure there are likely other parties that either a) don't know they have been breached b) keeping it secret.
These opinions are my own and not those of my employer.
No comments:
Post a Comment