The world recently heard that Marriott Industries experienced a breach that could have involved over 500 million accounts. It seems that hardly a week goes by without a major corporation experiencing a breach of one sort or another, and those are just the ones that we hear about. Many cyber crimes go unreported and thus are never acknowledged to the public. In fact, there may be loss of “shock value” when these large breaches do occur, which is not a good thing!
When I first read the news of Marriott’s breach, I perked up. Whenever a breach occurs it reminds me of why I do this job, which is to protect both the business’s reputation and the business’s customers. Working in cybersecurity can be a tedious job, but when a breach happens it should remind you of just how important your job is! In the case of Marriott, I would like to turn your attention to an often overlooked part of the business world: Mergers and Acquisitions (M&A). (https://www.nyse.com/publicdocs/cybersecurity_and_the_M_and_A_Due_Diligence_Process.pdf) M&As are costly endeavors! For many large corporations, the price tag can run into the billions of dollars, which makes every M&A important. Sadly, many large corporations have a hard time managing their IT infrastructure, let alone incorporating a brand new infrastructure! This seems to be a large problem in the Marriott acquisition of Starwoods, which is where the breach originated.
According to initial reports, Marriott received a security alert around September 8th YEAR about an attempt to access the Starwood database in the United States. They took immediate action and learned that unauthorized access had been obtained to the Starwood database in 2014! Yes, you read that right, 2014! This is a huge security breach and the attackers were in place for around 4 years. Now this may seem astounding to many security professionals, but it happens, especially if proper security tools and procedures are not followed.
When you work in the cybersecurity field it can be frustrating to watch the lack of awareness among average end users (who are often the targets of attacks) and it can be almost maddening to watch the nearly complete lack of empathy at the executive level of some businesses. Now, I am not saying this is the case with Marriott, but it does make you think.
As a cybersecurity professional you have a duty to assist your employer with securing their networks and data. You need to be passionate about the job and go to work everyday with the drive to make a difference in some way. This post is about addressing the need to include cybersecurity protocols in the M&A process. There seems to be a lack of knowledge or at least a lack of the application of knowledge when it comes to ensuring acquisitions are secure and are following proper security protocols — and that needs to change! When a breach occurs, such as the one Marriott just experienced, let us all learn from the mistakes, apply the lessons learned, and improve our security posture!
First, why is this breach important? It goes far beyond the huge victim pool, but that is included in what I am about to say. As the EC Council’s Certified Ethical Hacking class teaches, you need to think like an attacker and ask yourself “What would an attacker do with the information obtained from this breach?” The possibilities are vast. Marriott hasn’t finished decrypting the duplicated data they discovered, but the number currently stands at 500 million guests who made a reservation at a Starwood property. Roughly 327 million of these victims included some type of combination of name, address, phone number, email address, passport number, date of birth, gender, arrival and departure information, along with their Starwood Preferred Guest account information.
Now, an attacker can utilize this information in a variety of ways. One way that is being discussed is combining this new information with information from earlier breaches (Equifax, Yahoo, Target) and build a fairly extensive personal database on the victims. If the victim works for the government or holds a sensitive position, this could create devastating results. Some have described it as a “national security risk” and while I might not go quite that far, it is most certainly a risk to the individuals involved!
Secondly, there could be a massive amount of phishing campaigns launched with the information stolen during this attack. With the information that has been released, I can foresee an attacker crafting a very clever phishing campaign either against the victims, or using the victims information against others. Phishing creates multiple dangers for both corporate entities and private individuals and information such as this can be easily used to created realistic, malicious phishing campaigns.
We will all need to increase our vigilance in response to these attacks and educated other users to be aware of some of the ramifications that could follow.
When it comes to M&A, the business world has crafted extensive methods for acquiring other businesses, many of which focus almost entirely on fiscal considerations. What can the company gain from the acquisition of the other company? How can profits be improved? What margin of growth will we experience by taking on the associated business? The list goes on and on, but sadly one thing is often missing from the M&A process: cybersecurity!
As we can see from the Marriott breach, often times cybersecurity is either not even thought of or is merely given a cursory treatment during the merger process, and this needs to change. In my own career I have been involved in several breaches that involved an acquired businesses, most of which, thankfully, were easily contained and did not create the sort of problems that Marriott is currently facing, but relying on luck is not a good business strategy!
As a cybersecurity professional you can use events such as this to educate your executive management, create an internal M&A process, and help to make your business safer! In order to safely deal with acquisitions, you need to bring to the table a wide range of cybersecurity knowledge and apply it to the process. This doesn’t have to be extremely difficult or time consuming, but once it is in place and practiced, it can do much to enhance both businesses’ cybersecurity posture.
Below is a short list to help you get started on working on implementing cybersecurity into the M&A process. One of the most important parts of this process is getting executive-level buy in! If the executives, the board of directors, and others in upper management are not heartily supporting the process, then it is doomed to failure. This is true in every aspect of a companies life and cybersecurity is no different! Work to educate the executive level on creating a cybersecurity M&A process that can be implemented with the currently existing M&A process. Once you have crafted a sample, make sure that you send it up the chain of command.
I would note here that you will need to be selfless in this process. Leave your ego at the door and work on this as an employee that is seeking to help your company and your customers. In some cases, you may lose ownership of the process; accept this and continue to do your best to be a professional. In other cases, you might be brought into the process. If so, then embrace it humbly and be a team player!
So what should a cybersecurity-focused M&A include? Let us look at the following list.
First, any legal obligations must be examined and dealt with by both companies. With the implementation of GDPR in Europe, many global businesses have to deal with the statutes of GDPR whether they are headquartered in Europe or not. In the United States, many states have different laws addressing breach notification and cybersecurity and a multi-state business must be able to address each state in which they operate. Along with these laws there are hosts of regulatory bodies that different business entities must work with and M&As must take these into account as well.
Not only are there legal and regulatory issues, but there may be other secondary businesses involved. Whenever a business is acquired it usually brings with it an existing customer base. Who are they? How do they interact with the businesses systems and programs? Are there any preexisting cybersecurity concerns between the businesses? A good M&A cyber program will seek to address these types of questions for both the acquiring business and the one being merged.
- Who are your international partners, and in what countries do they operate?
- Do you know what level of security each of your international branches requires?
- Which laws apply to the existing business?
- Are they regulated by a third party, if so, how and are there any reports from the regulatory body regarding inspections or audits?
The next topic we could call governance. This is obtaining a holistic view of both organizations and their employees to create a new security staff out of already existing ones! This can be difficult since some positions may overlap between companies, but it is vital that clear communication channels are created. If an incident were to occur and no one knows who to report it to, disaster is waiting in the wings! Who has authority over the new program? A clear, well defined chain of command is imperative to any security operation and that should be thoroughly explored and crafted during the merger process.
- Have you looked at both security organizations to get an idea of what the new organization will look like?
- Did you map out all the reporting relationships in the security organization?
- Do you have a strong line of communication with the executive board?
Each company has its own internal culture and this needs to be considered during the M&A process. Take a good deep look at the existing culture as it pertains to security to find out where any weaknesses may exist and how to strengthen them. The cybersecurity staff need to know each other and learn from one another in order to successfully merge. I have heard of hard feelings being created between “old” and “new” staff because this step was skipped or not taken care of during the merger. Cybersecurity depends as much on the people as on the tools so do not neglect this step!
- Did you meet with your staff to break the ice and discuss the kind of security culture you’re aiming for?
- Have you composed and delivered a statement of security ethics to all employees?
- Do you have a clearly delineated chain of command?
- Are all personnel kept up-to-date on changes involving them?
One of the final but definitely not least important considerations is the technology stack. What security tools are being used by the two companies and how can they be combined? Does one company have little-to-no security tools and the other a full stack? If so, the M&A must take into account the costs of integrating the two disparate departments. If one company has a more mature program, that one should be given preference and implemented no matter which one it comes from. Again, ego must be left out and an honest assessment made of the technology and security posture of both companies. Always err on the side of better security — it will pay off in the end!
- Are your business platforms compatible, and if not, which one should be preferred?
- What kind of links do you have with third parties and contractors, and are those connections secure? (Remember the Target breach was a third party contractor!)
- Do you have access controls and intrusion detection systems in place?
- Are email programs compatible and can they be combined?
- Always check software and programs for security vulnerabilities and flaws and ensure you do not inherit an insecure program or product.
There are many other questions that could be raised and here are some examples:
- Was there a compromise before the merger?
- Do you have access to a compromise assessment team or a third party that can perform one before the merger proceeds?
- Are there audits or inspection documents and reports that can be reviewed before the merger?
In many ways, each M&A will be unique and present you with a variety of problems to be solved! Engage with your creativity and think like a hacker! Then you can provide the very best security to a newly formed company.
About the Author:
David Biser, CEH, CHFI and EC Council Certified Instructor, started his infosec career as a criminal investigator handling online cases against a variety of criminals. As technology expanded David continued to expand his skills and moved into network intrusion and hacking investigations. He has testified in numerous criminal cases and conducted hundreds of forensic cases for investigations ranging from child pornography to intrusions and malware threats. He has taught several courses including EC Council’s CEH. He loves to spend his time researching the latest cyber security trends, teaching others and helping newcomers get into the cyber security field. David retired from law enforcement but continues to work in the public industry field as an incident response analyst. He also teaches classes at a local community college for both students and those desiring to continue their education and expand their skills.