2021 is poised to smash all historical records for global mergers and acquisitions, with more than $2.8 trillion in M&A activity having already occurred during the first 6 months of the year alone. While a positive indicator for global economies, this rush of M&A activity does pose inherent challenges. Specifically, hurried cybersecurity evaluations and the increased number of devices and applications shifting from one IT department’s purview to the next introduce risks that can impact the M&A process pre, during and post deal flow.
IoT cybersecurity company Forescout reported recently that 62% of IT and business decision makers agreed that their company faces significant cybersecurity risk when acquiring new companies, and cyber risk is their biggest concern post-acquisition. 53% of respondents had encountered a critical cybersecurity issue during an M&A deal that put the deal in jeopardy.
In the midst of the overall M&A challenge, it’s common to overlook the role of passwords in your cybersecurity strategy. Most people are unaware that more than 80% of all data breaches are caused by compromised passwords, according to Verizon’s annual Data Breach Investigations Report. In fact, the majority of the largest and most costly cyberattacks of the past decade can be traced back to compromised passwords as the entry point.
Passwords can be harvested through brute force attacks, password spraying, email phishing and social engineering campaigns, and then used in credential stuffing attacks, ultimately leading to ransomware in many cases. Compromising a password continues to be the easiest way to gain unlawful access. It’s no surprise that Verizon also found that credentials remain the most sought-after data type for attackers in their 2021 breach report.
Fortunately, there are three simple measures that can be taken to improve password protection and reduce the cyber risk associated with acquiring companies.
1) Set a strong password policy
First, acquiring organizations must implement a strong password policy (if they have not done so already) to help safeguard against attacks and bring the organization into compliance with relevant standards. A strong password policy will disallow the use of compromised passwords and protect both organizations from credential stuffing attacks during the vulnerable merger period.
There are numerous resources available to guide IT leaders in picking the right password policy for their organization. Many organizations turn to The National Institute of Standards and Technology (NIST) or the Cybersecurity Maturity Model Certification (CMMC) for guidance on better password policy.
For instance, NIST has the following recommendations for password security:
- Set a minimum password length of 8 characters to encourage the use of longer passwords
- Give users the ability to use space characters in passwords to allow them to use phrases as passwords
- Screen new passwords against a breached password list and lists of specific words or phrases to avoid (like the organization’s name)
CMMC’s password security recommendations include:
- Don’t allow password reuse for a number of generations
- Permit temporary password use for logging onto systems, but require an immediate change
- Only store and transmit cryptographically protected passwords
Ultimately, immediately bringing the acquired companies’ passwords into compliance with a strong password policy is a necessary first step.
2) Implement password enforcement technology
Relying on employees to make good choices when it comes to password security is the equivalent of putting your head in the sand. A 2019 Google survey showed that 65% of adults reuse passwords for multiple if not all their accounts. While seemingly practical to employees, password reuse opens organizations up for credential stuffing attacks, including many of the thousands of major data breaches of the past decade such as those at LinkedIn, Yahoo and Zoom.
To minimize human weaknesses, companies undergoing M&As should invest in technology that enforces the strong password policy that has been put in place. This will help protect from cyber-attacks during the critical period as the organizations merge and focus may be elsewhere. Password enforcement tools can reduce password-driven threats and vulnerabilities while alleviating the burden that password management traditionally places on IT and the service desk.
3) Maintain ongoing cyber assessments
Due diligence projects in the lead up to an acquisition are great at uncovering cybersecurity issues and teams jump into action to address the concerns quickly. Applying that same mentality to ongoing cyber assessment can be beneficial to improving your security posture overtime. Annual pen tests, password audits and reviewing best practices can provide ongoing input for continuous improvement whether you will be merging two companies, maintaining separate IT systems and processes or a combination of the two.
The role of password syncing
One useful tool in your toolbox is to sync passwords from one directory to another. Many companies undertake this initiative during a transitional period, while the M&A IT integration project is underway. This way it is possible to maintain two directories as you start the transition to common infrastructure and applications. The benefits include a smoother experience for the employees who can log into existing and new services without issue, especially following a password change when the employee often faces challenges accessing a target application.
Address password concerns head-on
Acquiring a company increases cybersecurity risk and presents a number of IT challenges. Passwords are often overlooked in the M&A process, but compromised passwords are the root cause of nearly all data breaches.
Creating a strong password policy and enforcing it with the help of password management technology will go a long a way to establishing better protection for both organizations. Long-term you should continue to assess cybersecurity using pen testing and passwords audits.