The first half of 2019 continued the breakneck pace of M&A — not just across the channel, but throughout the world of business.

So how does cybersecurity come into play during the due-diligence process that precedes a deal? Forescout conducted a global survey of nearly 3,000 IT and business decision makers that examines the growing concern of cybersecurity risks and the importance of cybersecurity assessment during M&A.

Among the findings:

To find out more about this issue, we spoke with Julie Cullivan, Forescout’s chief technology and people officer.

CF: How can cybersecurity providers help address cyber risk during M&A?

JC: M&A due diligence has traditionally focused on finance, legal, business, operations, human resources and IT, among others. Our survey findings suggest that although there is recognition of potential cyber risks during an acquisition, organizations considering an acquisition could benefit from greater, dedicated cyber evaluation. Our findings also suggest that evaluation and due diligence shouldn’t just be a point-in-time exercise; cybersecurity due diligence and risk assessment should be an ongoing activity.

Forescout’s Julie Cullivan

One of the best ways to continuously address cyber risk is to focus on asset management and asset inventory. It’s critical that organizations focus on asset management and asset inventory as a fundamental best practice to reduce cyber risks during M&A. And, to take that a step further, the relative importance of each asset needs to be determined as well as gaining an in-depth understanding of the network to which that asset is connected. In other words, if there’s a vulnerable asset on the network, but it’s segmented, that asset and associated risk might still be effectively managed.

CF: What sorts of problems can arise from failing to address cyber risk during M&A?

JC: Any merger or acquisition poses daunting challenges to IT leaders. Not only are they tasked with integrating people, processes and technology in the shortest possible time frame, they must also remain vigilant about addressing the added cybersecurity risks.

Failure to address cyber risk during an M&A can result in the acquisition of critical vulnerabilities leaving the network open to potential breaches. Once integration is complete, malware infected on one connected device can …

… wreak havoc across the network.

Take Marriott for example. Late last year, 500 million Marriott customers had sensitive data stolen by malicious hackers as a result of a vulnerability in a system from Marriott’s acquisition of Starwood in 2016. One thing is clear from this: You don’t just acquire a company; you also acquire its security posture.

CF: How can organizations address cyber risk from connected devices and human error? Does that pose challenges/opportunities for cybersecurity providers? 

JC: With the proliferation of IoT devices, set to surpass 20.4 billion by 2020, determining the cybersecurity risks of the devices should be a top priority in any M&A deal. Our survey found that 72 percent of respondents believe IoT devices to be the most vulnerable during an M&A deal. This presents a challenge for organizations to conduct a comprehensive inventory of every acquired device. We find that most organizations aren’t aware of the sheer number of devices connected to their network. That poses a significant risk to the enterprise, which is only heightened when acquiring another company’s plethora of potentially risky devices.

CF: How can cyber risk jeopardize an M&A deal?

JC: In many cases, an undisclosed data breach that’s revealed during diligence can be a deal breaker, forcing companies to take immediate action in M&A strategy. Remediation costs can get expensive, and if that cost outweighs the importance of the merger/acquisition, the deal will inevitably be terminated. There’s also brand reputation to consider, financial impact and general willingness to clean up another company’s mess. While history is not limiting, the key is disclosure and due diligence. Companies must perform due diligence in order to accurately assess any risk associated in any given M&A deal.

CF: What was the most surprising about the survey findings?

JC: Within the survey, one of the most surprising findings was that 53 percent of respondents have encountered a critical cybersecurity issue or incident that ultimately put the deal in jeopardy. Cybersecurity is often overlooked in the M&A diligence process as many acquisitions are often on the fast track.

Furthermore, our survey also found that an overwhelming 93 percent of respondents agree that cybersecurity evaluation is important when making M&A decisions. The history of critical cyber issues is a direct reflection of the company’s ability to mitigate risk. Given the value decision makers place on cybersecurity evaluation, it was only fitting that a majority 73 percent felt that a company with an undisclosed data breach was an immediate deal breaker.

Kudelski Security-Fortinet

Kudelski Security has expanded its device support and management to Fortinet.

Kudelski provides manufacturer support services for vendors like F5 Networks, Juniper Networks and Pulse Secure, and has more than 120 clients across the United States. As part of Kudelski’s service, clients get a premium service for quicker escalation and resolution, including finding, escalating and tracking …

… bug fixes, the company said.

John Van Blaricum, Kudelski’s chief marketing officer and vice president of global marketing, tells us his company works to develop strategic relationships with its technology partners, which includes “developing the proficiency and technical expertise in their technologies that allows us to also offer high-value services to our clients.”

Kudelski’s John Van Blaricum

“This includes manufacturer support and remote device management, but also implementation, consulting and training,” he said. “This makes us a more meaningful partner as well as differentiates us with our mutual clients. We have one of the fastest-growing and most recognized new MSSPs in the industry, as well as world-class professional services. As we’re able to add new technologies to our support and management portfolio, we have a greater competitive edge and a more meaningful solutions portfolio. This also expands the total available opportunity for our partners to engage and support new clients.”

Kudelski’s device support and management services are part of its larger portfolio of advanced managed security services (MSS), including endpoint detection and response (EDR), threat hunting and attacker deception.

CyberX Unleashes Automated Threat Extraction Platform

CyberX, an IoT and industrial control system (ICS) security company, has enhanced its specialized IoT/ICS threat intelligence capabilities with a new automated threat-extraction platform that uses machine learning to identify malware and advanced persistent threat (APT) campaigns targeting industrial and critical infrastructure organizations.

Ganymede was designed to “dramatically” reduce the time required to identify, hunt and eradicate destructive malware such as LockerGoga that has cost industrial organizations tens or hundreds of millions of dollars in lost production and cleanup, according to CyberX. Plant safety systems also are being targeted by sophisticated nation-state adversaries across multiple industrial sectors globally. Also, trade secrets, such as proprietary design and manufacturing data, are being stolen from industrial companies.

Developed by Section 52, CyberX’s threat intelligence and security research team, Ganymede continuously ingests massive amounts of data from a range of open and closed sources to deliver data-driven analysis.

Phil Neray, CyberX’s vice president of industrial cybersecurity, tells us the new platform gives his company’s MSSP and channel partners a “value-added capability in the form of IoT/ICS-specific threat intelligence alert and reports they can now provide to their clients” in addition to core CyberX capabilities such as IoT/ICS asset discovery, risk and vulnerability management, and continuous monitoring for threats inside their clients’ IoT/ICS networks.

CyberX’s Phil Neray

“We’ve all heard the expression, ‘It’s not a question of if, but when’ when it comes to cyberattacks,” he said. “So the key challenge for industrial and critical infrastructure organizations is identifying targeted attacks as soon as possible, before the attackers can blow up the plant or take it down with destructive ransomware like LockerGoga. Threat intelligence is a key component of identifying APTs during the initial stages of the kill chain, which gives service providers an opportunity to deliver additional services in the form of mitigation recommendation and onsite incident response.”

Cybersecurity Startup Closes $4.75 Million Seed Round

Clearedin, an anti-phishing SaaS company, has raised $4.75 million to eliminate phishing across email, Slack and other channels.

Bonfire Ventures led the round with participation from MS&AD Ventures, the venture arm of Mitsui Insurance Group.

In addition to defense for end users, the Clearedin dashboard outlines why an email has been marked as suspicious or as phish; in turn, administrators get a look at the domains and users with which their organization is communicating — helping IT teams to fine-tune their defenses.

Ranjeet Vidwans, Clearedin’s chief revenue officer, tells us his company is a channel-first organization.

Clearedin’s Ranjeet Vidwans

“Phishing security for email, Slack and other collaboration and communication platforms should be part-and-parcel of how customers buy and use those services,” he said. “We are partnering with MSPs and MSSPs as our primary channel to market for our platform.”

With this round of funding, Clearedin plans to make an aggressive push to market.

“If there is an opportunity to push a transaction through a channel, that is our first priority,” Vidwans said. “Those are the providers that already have customer relationships that are trusted and have been nurtured, typically, over years of thoughtful customer service. Our mission is to provide those MSSPs a value-added capability that they can deliver to their end clients.”