Mergers and acquisitions (M&A) are challenging IT and security teams as long as businesses rely on technology. Every company’s IT is as unique as the company itself. Your company may use commonly used tools and apps and industry best practices to deploy and configure them. Nevertheless, these systems are adapted to the specific needs of the company over time.
Bringing two different systems together
This can complicate the M&A process when it comes to bringing together the technical systems and security needs on which the merged companies need to function. This can lead to lengthy projects that can take years to fully migrate to an IT pipeline.
The growth of cloud platforms has made these already demanding processes more complex. Initially, many business apps were converted to a software-as-a-service model. In addition, the assets that comprise many companies’ products and unique selling points are now on one of the many cloud-hosted platforms. They are no longer a physical asset in a data center.
To address these challenges, you should evaluate and review the technology early in the M&A cycle. It is tempting to evaluate goals primarily based on their position in the market. After all, companies that take on others want to close a gap in their portfolio or own a specific tool or service. The review for technical bottlenecks often takes place late in the M&A cycle, leaving little time to consider the impact on the future.
How using OSINT helps
This is where Open Source Intelligence (OSINT) can help. It enables an acquirer to assess a potential target’s defenses and understand many aspects of their approach long before they get caught in the weeds of due diligence. As the name suggests, OSINT combines free, openly available information from various sources. It creates a picture of a company’s attitude and is uniquely positioned to evaluate cloud countermeasures.
The easiest way to learn about a company’s cloud security posture is to get OSINT health reports. These cover many potential problems directly related to the way the target company works. They also pull their source data from multiple public scans and repositories. You can compare these with other, similar industry players and thus provide a simple visual contrast to the business competitors.
Some areas that an OSINT report will cover include:
- Platforms and services – What cloud hosting platforms and services does the destination use? What technology underpins your offerings and operations?
- Indications of Compromise (IOCs) – Do the company’s IP addresses, servers, or domain names appear on the IOC’s list of malware infections, botnets, or spam?
- Email Security – Which platform does the company use? Has the company configured SPF, DMARC, or DKIM entries, or does their infrastructure have open relays?
- Reported Violations or Incidents – Has the company been the victim of attacks that it reported to a data protection authority?
- Certificates – Does the company use strong TLS configurations and relevant, up-to-date certificates?
- Application and server patching – Does the company keep its online assets up to date with server and app updates?
- Application security – Do publicly available apps contain security gaps or misconfigurations?
- Footprint – What locations does the company operate from, including cloud-based platforms or regional services? What IP addresses, domain names, and other web properties does it have?
- Supply chains – Which parts of its web-based infrastructure does the company outsource to partners such as developers, white-boxed services or subcontractors?
Assessment of information security resources
Knowing all this helps to identify the resources that are generally devoted to information security, especially the provision and management of the systems and services that face the public Internet. A poor score in one or more areas can indicate a weakness in certain skills or a blind spot in defense.
A lot can be read from the pictures they paint. For example, using a particular cloud hosting platform or underlying technology can guide the acquirer in choosing a destination that fits their technology base to ease the transition. It also immediately becomes clear if you need to standardize towards a particular platform, e.g. B. from G-Suite to Microsoft 365.
The use of OSINT does not replace the need for due diligence of IT systems and security practices after the takeover. However, it can help to get an idea of how seriously a company takes security. In this way it reduces the risk of nasty surprises in the further course.