In 2021, the global mergers and acquisitions (M&A) market grew at a breakneck pace. According to the consulting firm McKinsey, the volume of these operations has indeed increased by 67%, to reach 5,900 billion dollars.
This year, several factors have somewhat slowed down the M&A market, including inflation, rising interest rates, the energy crisis, and geopolitical issues, among others. Nevertheless, the market continues to grow: according to Bpifrance Le Lab, more than 70% of managers of SMEs and ETIs in France plan to take over another company within five years.
During the mergers and acquisitions process, IT teams play an essential role, particularly in providing and maintaining the infrastructure necessary for their realization. Most importantly, they must keep the ecosystem safe from any vulnerability and external attack.
A growing and unprotected attack surface
The constant expansion of the attack surface is a concern for most organizations around the world. M&A candidates may have a partially unprotected attack surface, increasing the gap between the attack surface that needs to be protected and the attack surface that the organization is actually able to protect.
Beyond financial, commercial and strategic considerations, candidates for mergers and acquisitions therefore also put this risk on the table. It is therefore the responsibility of the CISOs to properly assess and measure this gap, to protect critical data which may be considerably exposed to the risk of attacks during the transition process.
According to a recent global study on cyber attack resistance (“The 2022 Attack Resistance report”), organizations reported that only 63% of their attack surface was resistant to attacks, leaving a vulnerability gap of 37%. While this gap is significant, more than 44% of organizations on average also said they lacked confidence in their ability to deal with the risks induced by this gap.
M&A due diligence may not be enough for CISOs
For the CISO, security assessment is an expected part of M&A due diligence. But the result rarely changes the “Go/No-go” decision. In addition, due diligence is often based on simple checklists, sometimes supplemented by automated tools. However, these methods do not allow a very precise or reliable identification of vulnerabilities or an exhaustive monitoring of the attack surface. Once the transaction is concluded, the acquirer immediately finds himself responsible for the risk associated with the assets of this new entity, even though the CISO was unable to accurately assess its actual level of security.
Collaborative security to limit risks
To protect all parties involved in an M&A transaction, more and more players are turning to collaborative security. In other words, they recruit ethical hackers who practice hacking in “good faith”. Using a community of hackers has many benefits, including allowing an organization to test its digital assets for software vulnerabilities by simulating an outside attack. By leveraging the perspective and creativity of an outsider, such as a hacker, organizations can better identify vulnerabilities that cybercriminals are most likely to exploit.
Mergers and acquisitions are certainly not the only challenge for CISOs. The acceleration of digital transformation, globalization, restructurings and many other factors also contribute to increasing the pressure on security teams, often understaffed and lacking in adequate skills. Never has there been more need for the immediacy, expertise and creativity of hackers to complement security teams and their current processes and tools.