Merging Companies? Avoid a Cybersecurity Nightmare with These Essential Tips!

The Pros and Cons of Merging Two Businesses

Blended families are amazing! By bringing together diverse traditions, strengths, and perspectives, a family can create a richer, more vibrant unit. Merging two businesses can be similar. When done right, the result can be an amazing blend of talents and resources, fostering innovation and growth. However, just like a family where every member brings their own habits, quirks, and potential for chaos, merging businesses introduces a myriad of cybersecurity risks due to the diversity of policies, procedures, and security standards. The Change Healthcare breach is a stark reminder of what can go wrong when cybersecurity is overlooked during mergers and acquisitions (M&A). This blog will explore why penetration tests are essential during M&A, the new cyber threats that a rise, and how they can be mitigated.

(This is part 3 in a series of blog posts extracting lessons from the Change Healthcare breach. Click here for part one, and here for part two.)

The Hidden Cyber Threats in Mergers and Acquisitions

When companies merge, they don’t just combine their assets; they also integrate their IT systems, data, and processes. Each organization typically has its own security protocols, which might be very good… or very poor. So, a company with a strong cyber security stance could find itself weakened by a lack of security on the part of the newly acquired business.

You might compare this to the effect of blending impurities into steel. Introducing too much sulfur or phosphorus makes the formerly strong steel brittle, prone to cracking or fracturing under stress. Mergers can similarly inject security weaknesses into a formerly solid company, as vulnerabilities in one system can compromise the entire newly-formed entity. 

Exploiting Security Gaps

Cybercriminals are always on the lookout for opportunities to exploit weaknesses. During M&A, discrepancies in security measures become prime targets. Hackers can leverage these gaps to infiltrate systems, move laterally into formerly protected networks, steal sensitive data, or even plant malware. 

Case Study: Change Healthcare Breach

The Change Healthcare breach is a textbook example of how cybercriminals can exploit security lapses during a merger. UnitedHealth Group (UHG) acquired Change Healthcare, the US’s largest clearinghouse for medical claims, in October 2022. This merger exposed the entire organization to significant vulnerabilities.

According to threat analyst at Expel Aaron Walton, post-merger Change Healthcare “was not brought up to speed with all the same security policies as UnitedHealth Group…”. This meant that Change’s lack of MFA (Multi-factor Authentication) was not addressed. Had this lack of MFA controls been identified and corrected earlier the entire breach at Change Healthcare might have been avoided.

The Role of Penetration Tests and Security Audits

Pre-Merge Security Assessments

Conducting security audits and penetration tests before finalizing a merger can uncover hidden vulnerabilities. These assessments simulate cyberattacks to identify weaknesses in an organization’s defenses. By doing so, companies can address potential issues before they become real problems.

Think of penetration tests as a health check-up before marriage. Just as you’d want to know about any potential health issues in your partner, businesses need to understand the cyber health of the company they’re merging with.

Anatomy of a Penetration Test

Penetration tests are crucial during mergers and acquisitions to ensure the cybersecurity posture of both companies is robust. Here are some key areas a penetration test will check:

• Network Vulnerabilities: Identifying weaknesses that could be exploited by attackers.
• Application Security: Assessing web applications and software for flaws that could lead to unauthorized access or data breaches.
• Access Controls: Evaluating the effectiveness of authentication and authorization mechanisms, including the use of multi-factor authentication (MFA).
• Data Protection: Ensuring sensitive data is encrypted and secure to prevent unauthorized access.
• Patch Management: Checking systems are up-to-date with the latest security patches and updates.
• Endpoint Security: Analyzing protections of all devices connected to the network.
• Social Engineering: Testing employee awareness and response to phishing attempts.
• Incident Response: Evaluating the organization's incident response plans and procedures.
• Third-Party Integrations: Assessing the security of third-party vendors and integrations to ensure they do not introduce vulnerabilities.

Mitigating Risks

Once vulnerabilities are identified, steps can be taken to mitigate these risks. This might involve patching software, updating security protocols, or even overhauling entire systems. Addressing these issues proactively can save a company from the financial and reputational damage of a cyberattack.

Like having a team of structural engineers check the overall soundness of a building before you purchase it, a pen test will reveal gaps and weaknesses in the cyber security of a company so they can be addressed before you sign on the dotted line.

Benefits of Penetration Testing During M&A

1. Uncovering Hidden Issues: Just like a home inspection might reveal a leaky roof, pen testing can uncover poor security practices and vulnerable systems. It’s better to find these before they become your problem post-merger.
2. Protecting Your Investment: M&As are expensive. Pen testing helps ensure that you’re not buying a company riddled with cybersecurity issues that could cost a fortune to fix later on.
3. Maintain Compliance: Many industries have strict regulations around data protection. Pen testing helps ensure the merged entity will remain compliant.

The Big Takeaway

Mergers and acquisitions are complex processes with numerous challenges. One of the most critical, yet often overlooked, aspects is cybersecurity. The Change Healthcare breach serves as a cautionary tale about the dangers of neglecting cybersecurity during M&A. By integrating robust security measures, such as penetration tests and comprehensive audits, businesses can protect themselves from potential cyber threats.

Investing in cybersecurity due diligence is not just a smart business move—it’s essential for safeguarding your company’s future. Don’t let your business be the next cautionary tale. Ensure that penetration tests and cybersecurity audits are a fundamental part of your M&A strategy.

Your IT Partner Can Help

Ready to secure your next merger or acquisition? Contact us today to learn more about our comprehensive cybersecurity audits and penetration testing services. Let’s build a secure future together.