Execs are still giving cybersecurity short shrift. Here's why they need to be paying more attention.
- Corporate leaders still aren't focusing enough on cybersecurity-related risks, said Todd Inskeep, a principal of cybersecurity strategy at consulting firm Booz Allen Hamilton.
- This lack of focus is particularly apparent and especially dangerous when companies are exploring mergers, acquisitions, and spinoffs, Inskeep said.
- Such deals often involve hidden or poorly understood security risks, he said.
- The biggest risk is that a company is buying a firm that has a security breach that neither side knew about until the deal, Inskeep said.
One might think that by now assessing the cybersecurity situation of potential merger and acquisition targets would be a standard part of the due-diligence process of such deals.
After all, it's been nearly three since Verizon's discovery of a massive data breach at Yahoo threw its potential acquisition of the web firm in doubt and ended up reducing the value of the deal by hundreds of millions of dollars. Surely corporate dealmakers these days are clued into and closely scrutinizing such risks, right?
Not so much, said Todd Inskeep. In his role as a principal of cyber security strategy at consulting firm Booz Allen Hamilton, Inskeep has a close-up view of how companies that are acquiring other firms or spinning off divisions are approaching the security implications of the moves. Too often, he said, cybersecurity is an afterthought, and companies' chief information security officers, or CISOs, aren't a part of the process.
When a company announces a deal, "too many times that's the first time the CISO hears about it," Inskeep told Business Insider in a recent interview. "For the most part," he continued, "they're not given much time to meet their counterparts ... and have any real conversations about their state of security before the companies are deciding to move forward."
And it's not just in such deals that corporate leaders are paying too little attention to cybersecurity, Inskeep said. In fact, business executives often don't realize that the deals they've signed or the products they've adopted have security implications that could compromise their computer systems or even affect their bottom lines.
"A lot of business leaders today don't understand how much cyber-risk the organization faces," Inskeep said.
Mergers and acquisitions pose acute cyber-security risks
But it's with major deals that those risks often come to light - sooner or later - or become more acute, he said. The one executives should be most concerned about - but often aren't considering - is that the company they are acquiring has already had its systems compromised.
"The biggest risk is the breach you don't know you're buying," he said.A related - and also often hidden - risk in such deals involves the sheer amount of data some companies collect on their customers. New privacy laws in Europe and California require companies to be more judicious about the data they gather on consumers and to do a better job of safeguarding it. Companies that fall afoul of the rules face increasing fines.
Read this: France fines Google $57 million for breaking Europe's strict new privacy rules
Many firms simply don't have a good grasp on the personal data in their possessions, Inskeep said. Too few people inside them understand completely what kind of data the company is collecting and how it's collecting the information; where's it's storing the data; or the firm's long-term plans for the information.
"Too many companies have just historically collected everything they could," Inskeep said. "They haven't gone back to say, 'Why are we keeping this data?'"
But there are lots of other risks involved in such deals. The two companies in a deal may have incompatible security systems or one company may have much a much weaker system than the other. In either case, the amount needed to upgrade security may be an unforeseen cost of the deal.
Mergers create uncertainty, which criminals can exploit
Such deals also create a lot of uncertainty for employees, suppliers, and partners of both companies. It can be unclear who has the authority to approve payments or make purchases or what protocols to follow.
All that uncertainty can create a lot of opportunities for scam artists and criminals. One route they often take to exploit it is business email compromise attacks, where they pretend to be high-ranking officials in a company or at one of the company's business partners and request payment be sent to what turns out to be an account owned by the fraudsters.
In mergers and acquisitions, "there's a lot opportunity for social engineering," Inskeep said.
To be sure, Inskeep has an interest in companies paying more attention to cybersecurity issues. After all, he gets paid to give firms advice on security risks and how they can better safeguard their systems and data.
But he insists that he's not overstating the risks.
At Booz Allen, "We get plenty of business," he said. "These are serious issues that businesses are facing."
And he acknowledges that more companies today are recognizing such risks than did in the past. Some companies are now regularly calling his team in to assess the cybersecurity situation at potential acquisition targets before they announce a deal, for example.
"But it's inconsistent," he said. "It's only among the most mature or most savvy companies that get it."
- Read more:
- One of the internet's creators says there's a potential of severe dangers from the 'avalanche of devices' on the network
- The CTO of one of the biggest consulting firms says CEOs and directors are beating a path to his door to get up to speed on the latest tech trends
- The internet's 'father' says it was born with two big flaws
- Hey Apple, what happens on iPhones doesn't stay there, and your 'clever' CES ad is promoting a dangerous illusion