A Due Diligent is part of any acquisition and is a process where earnings, pending litigation, intellectual property protections and other factors are analyzed to verify that the company they are acquiring is stable and will achieve financial projections that support the economics of the business. However, there is still resistance to applying Due Diligent in cybersecurity, given the likely needs of remediation processes.
Cybersecurity can even be neglected in the Due Diligent, but it will carry a business risk that can affect the financial performance of a business. That's because there are high chances that the acquisition could inherit security risks from the company. An example is how the data room is being managed: you can have vendors, investment bank, accounting firm and insurance company all in an online data room where confidential information is being exchanged. Most data rooms do not restrict access to certain areas or documents based on need-to-know, but your bank, for example, does not need access to IT information. Likewise, IT personnel do not need access to financial statements and earnings analysis.
When you give everyone access to all information, you significantly increase the risk of information disclosure, and you could be vulnerable to people with access who could sell information to a competitor or use it in an attack. This also happens if you reuse your passwords on multiple systems, allowing the attacker to break into the system and gain access to everything. It's important to be skeptical about the need to protect your documents. Be sure to manage user access and restrict access to certain areas and documents based on your needs.
Some practices in Due Diligence of cybersecurity are recommended to guide the acquisition process:
Cybersecurity risk management assessment
It's one of the top recommendations. Find out if the organization has the basic block and approach to preventing, detecting and responding to cybersecurity incidents. If this organization faces an incident, does it have what it needs for a prompt response and quick recovery? The response must limit exposure, involve the right authorities, consider public relations needs, be regulatory-appropriate, and assess any potential legal course of action. In addition, there must also be secure backups for quick data recovery.
Open source intelligence collection (Open Source Intelligence)
It's not just the experience of a cyber attack that makes an acquisition risky. Certain practices can inadvertently disclose information that an attacker can use to plan an attack, thereby increasing the chances of a data breach occurring. Open source intelligence gathering can find this risk.
One example is social networks like LinkedIn, where companies post technical information in IT job descriptions, which can inadvertently inform criminals about operating system routines or details of the firewall the company uses. IT IS important to perform open source intelligence gathering during the development process. Due Diligence, with the aim ofdetect vulnerabilities of this size.
vulnerability assessment
After detecting vulnerabilities, an assessment of an organization's computer infrastructure and identification of systems upgrades is required to determine whether they will require large investments of time and money to upgrade. Computer systems involve many layers of hardware and software, from the operating system to application software. They all have inadvertently built-in vulnerabilities that are discovered after the product is released, which is why developers often release patches and new versions of the software. Whenever a vulnerability is discovered, it results in a patch.
Still, organizations struggle to keep their software up to date. And some choose not to apply patches for fear that they might negatively alter another platform in an integrated system. Any erroneous modification requires money to fix, and if you are acquiring an organization, you may not want to acquire a need to upgrade an antiquated and insecure infrastructure. Outdated computer systems definitely affect the multiplier.
scan on Dark Web
One of the organization may be security compromised and not even know it. The scan discovers proprietary information, customer data sets, and credit card information or employee password lists that have already been included and are available on the dark web. Go to Dark Web It can be dangerous as it can open doors for attack, so it is important to have an experienced third-party resource to run this scan in a safe and controlled manner.
Commitment assessment indicators
An indicator of compromise is something that suggests that there are unauthorized users or activities on an organization's network. Common indicators of compromise include traffic to known command and control servers or signatures of variants of malware known. You can run an engagement assessment to identify these indicators in the target organization's network. If identified, it is a strong indicator of active attack that deserves further investigation. If there is an active commitment, the costs of correction, recovery and breach notification need to be factored into the agreement.
A TATICCA – ALLINIAL GLOBAL also provides integrated auditing, accounting, tax, corporate finance, financial advisory, risk advisory, technology, business consulting and training services. For more information, access www.taticca.com.br or e-mail taticca@taticca.com.br. Our company has professionals with extensive experience in the market and has certified methodologies for carrying out activities.