Cybersecurity Roundup: Forescout, Kudelski, CyberX and Clearedin

Written by Edward Gately
June 28, 2019

An undisclosed data breach revealed during due diligence can be an acquisition deal breaker.

The first half of 2019 continued the breakneck pace of M&A — not just across the channel, but throughout the world of business.

So how does cybersecurity come into play during the due-diligence process that precedes a deal? Forescout conducted a global survey of nearly 3,000 IT and business decision makers that examines the growing concern of cybersecurity risks and the importance of cybersecurity assessment during M&A.

Among the findings:

Thirty-six percent of respondents strongly agree that their IT team is given adequate time to review a targets’ cybersecurity standards, processes and protocols before completing an acquisition.
Eighty-one percent of IT decision makers (ITDMs) and business decision makers (BDMs) agree that they are putting more focus on an acquisition target’s cybersecurity posture than in the past.
When asked what makes organizations most at risk during the IT process, two answers stood out: human error and configuration weakness (51%) and connected devices (50%).
Among ITDMs, only 37% strongly agree that their IT team has the skills necessary to conduct a cybersecurity assessment for an acquisition.
Sixty-five percent of respondents said their companies experienced regrets in making an M&A deal due to cybersecurity concerns.

To find out more about this issue, we spoke with Julie Cullivan, Forescout’s chief technology and people officer.

CF: How can cybersecurity providers help address cyber risk during M&A?

JC: M&A due diligence has traditionally focused on finance, legal, business, operations, human resources and IT, among others. Our survey findings suggest that although there is recognition of potential cyber risks during an acquisition, organizations considering an acquisition could benefit from greater, dedicated cyber evaluation. Our findings also suggest that evaluation and due diligence shouldn’t just be a point-in-time exercise; cybersecurity due diligence and risk assessment should be an ongoing activity.

Forescout’s Julie Cullivan

One of the best ways to continuously address cyber risk is to focus on asset management and asset inventory. It’s critical that organizations focus on asset management and asset inventory as a fundamental best practice to reduce cyber risks during M&A. And, to take that a step further, the relative importance of each asset needs to be determined as well as gaining an in-depth understanding of the network to which that asset is connected. In other words, if there’s a vulnerable asset on the network, but it’s segmented, that asset and associated risk might still be effectively managed.

CF: What sorts of problems can arise from failing to address cyber risk during M&A?

JC: Any merger or acquisition poses daunting challenges to IT leaders. Not only are they tasked with integrating people, processes and technology in the shortest possible time frame, they must also remain vigilant about addressing the added cybersecurity risks.

Failure to address cyber risk during an M&A can result in the acquisition of critical vulnerabilities leaving the network open to potential breaches. Once integration is complete, malware infected on one connected device can …