Information security due diligence: Did you buy an asset or a headache?
RISK BULLETIN |
According to Bloomberg's Global Financial Advisory Mergers and Acquisitions Rankings Q3 2013, mergers and acquisitions increased 33 percent in 2013. Of particular interest is technology sector activity, which was at a five year high during the third quarter of 2013, leading to buyers paying the highest premium on technology companies. Purchasing high premium companies typically includes intellectual property, private information databases (big data), source code, critical systems, and trade secrets, among other items. However, there is a unique threat to these types of assets in that they can be stolen or subverted without the data owner's knowledge and often leave little evidence that the asset has been compromised.
While high profile news stories are published about data thefts from large organizations and retailers, many more data breaches occur that are not disclosed or aren't deemed appealing enough to get articles written about them. According to www.datalossdb.org, an open-source data breach tracking database, over 2,200 companies experienced data breaches of protected personally identifiable information (PII) during 2013. Most of the breaches are occurred at midsized and smaller organizations. The 2013 Verizon data breach report (a study of trends in data breaches investigated by 19 different forensic investigation companies) indicated that over 65 percent of the data breaches investigated were at companies with less than 10,000 employees. Oftentimes, midsized to smaller organizations have weaker protections on their data and are easier targets. The report also documented that for 66 percent of the investigated breaches, compromised organizations did not discover the intrusion for a period of multiple months to years after the initial compromise. This lengthy timeline to discover a breach resulted from the fact that almost 70 percent of the breaches were discovered by third parties rather than the organizations themselves.
In one example, Nortel was penetrated by hackers prior to declaring bankruptcy. By the time the hackers were discovered, it was determined that they'd had access to Nortel's data for almost 10 years and had stolen business plans, research and development papers, emails and technical papers. Once the breach was discovered, management cut off the attack, but reportedly chose not to follow up with an investigation – or disclose the breach to the companies buying its $4.5 billion worth of patents. As a result, the attackers will probably never be identified and the companies acquired compromised systems that could be used to expand the attack into their networks. The purchasing companies would more than likely not have paid nearly as much for the intellectual property had they known about the breach prior to the purchase.
Typical due diligence performed on a potential acquisition is designed to make sure the asset is properly valued. Large amounts of data must be examined and assessed during the due diligence process, which typically occurs at a rapid pace. Financial audits are performed and basic controls reviews are sometimes conducted to substantiate the value of the purchase and the maturity of the operation. However, one must consider that if a large percentage of breaches go undetected for months or years at a time, a review of the standard operating controls will not detect a breach either. If the potential acquisition does not have monitoring systems in place or, more commonly, if they are not effectively monitored by qualified individuals to detect unauthorized activity, the organization could have unknowingly lost critical data before the letter of intent was drafted.
If a potential acquisition includes significant electronic information assets, a review of its current information security maturity could have a large impact on the value of the assets. If data has truly been stolen, it is quite possible an empty asset would be acquired, or at least one worth much less than initially believed. For instance, many social media companies' largest asset is their membership data. That data is proprietary and linked to creating customer profiles that business partners purchase. But, if that data has already been stolen, an attacker could sell the data at a fraction of the cost, dramatically affecting the potential earnings of the company. Other items, like intellectual property or custom source code, could create the same issue.
Even if an organization does not have secret data, most companies have some protected data such as PII, ePHI, credit/debit card data or government data. The loss of this type of data would be embarrassing to the company and potentially create an immediate burden on its new owners or worst case, could force them to assume the liabilities associated with data loss in any of the protected classes.
So what can be done? Standard due diligence is unlikely to detect a data breach if the company has not detected the breach already. Companies can protect themselves by making sure that due diligence procedures include information security objectives, internal and external penetration tests, and data identification procedures. If time permits, one of the most effective methods of detecting an attack is to monitor attempts by attackers to extract data from the environment. Proper monitoring of Internet connections can reveal whether data has been stolen or is in the process of being stolen, and depending on the logging available, could reveal how much data, if any, has been stolen so far. However, a detailed log review can take quite a while to complete and may take longer than desired for the purchase cycle. Thus, log reviews would only pertain to organizations where data compromise is already suspected.
While no due diligence is 100 percent effective in preventing the unforeseen, performing information security due diligence on potential acquisitions that have significant intellectual property, digital information assets or obviously lax IT controls, can make the difference between a profitable transaction, a loss or a significant liability.