Illusive Blog November 13, 2018

Increase Cybersecurity During Mergers And Acquisitions

By Ofer Israeli

More than $2.5 trillion in mergers were announced in the first half of 2018[1]a new record. Ranked by value of the deal, energy and power deals led, followed by media and entertainment, with healthcare and industrials close behind. Industries are converging and organizations are using acquisitions, divestitures, and other forms of asset remix to reposition their businesses. For example, there are numerous mergers among pharmaceutical, life sciences, and biotech companies as they seek to gain traction in a highly fragmented market. EY predicts that the total value of life sciences M&A will surpass $200 billion in 2018. According to Deloitte, technology acquisition is the primary driver of M&A pursuits, ahead of expanding customer bases in existing markets, and adding products or services[3].

Regardless of industry or business strategy, one of companies’ biggest M&A concerns has become security risk. In a recent survey of 100 global senior executives by West Monroe Partners’ M&A practice, 80% of respondents said that cybersecurity issues have become highly important in M&A due diligence. Too often, merging companies have connected their networks without giving enough consideration to security risks or incident response. Cybersecurity problems can affect deal value—or even sink a deal.

Companies’ security infrastructures are especially vulnerable during M&A—and cyber attackers know it. Insiders, especially employees who are fearful or resentful of changes affecting their jobs, can become serious threats. During M&A activity, a tremendous amount of sensitive data changes hands between the two companies, their legal teams, financial partners, and other third parties. Organizations like pharmaceutical companies, with highly valuable IP, complex extended enterprises, and manufacturing operations are especially vulnerable to security gaps due to the sheer complexity of their infrastructures. Whether attackers conduct direct attacks on the two merging organizations or gain access through a gap in a third party’s network, they can profit from intellectual property and data useful for exploiting financial markets.

The Need for Attack Surface Reduction

Without a focus on attack surface reduction or strong cyber hygiene measures in place, combining IT assets significantly increases the attack surface—and risk. The acquiring company also gains the acquired company’s risk profile and whatever security gaps might exist. For instance, unknown and unnecessary credentials floating out in the network make it faster and easier for attackers to access vital systems. According to the West Monroe Partners’ study, 52% of acquirers discovered significant security problems after the deal closed, and cybersecurity issues were the second-most common reason that buyers regretted a deal.

Even if both companies have stellar security controls in place prior to a merger, the massive amount of change and upheaval that continues throughout a long integration period can open dangerous new security gaps. It takes time to extend consistent security controls and enforce policies across a larger group of users. Disparate standards, improperly secured data transfer or storage—or simply human error that increases during periods of change—all open the door to easier access by attackers.

The Value of a Deception Platform

Anticipating or during M&A activity typically isn’t the best time to launch a laborious, resource-intensive security deployment. But deception-based threat detection can greatly minimize the risk of a successful attack and preserve the value of the assets being acquired. An Illusive deception platform is not only easy to deploy, it also easily incorporates new systems and adapts to changes in the infrastructure to provide elastic protection—even when security controls are changing or not in place. With endpoint-based deception, the odds of an attacker compromising critical systems become miniscule. An attacker in the network will be detected 99% of the time before he can find a path to a sensitive asset. Deception-based threat detection coupled with forensic data and attack surface reduction capabilities greatly enhance the value of your security team, making them pivotal to acquisition success.

Learn how Illusive can protect your business during—and after—an acquisition. Download Securing growth through M&A: Using deception to protect dynamic business infrastructure.


[1] New York Times, July 3, 2018

[2] 2018 M&A Firepower Report: Life Sciences Deal and Data, EY Vital Signs, 2018

[3] The state of the deal, M&A trends 2018, Deloitte