igor - Fotolia

Most companies wide open to “cataclysmic” hack, especially after M&A

Companies are leaving themselves wide open to cyber crime, especially after M&A, so companies need to start enabling cyber-security professionals before they face serious problems

The saga of US telecom company Verizon’s proposed acquisition of Yahoo will be quoted as a case study for years to come.

Business executives and board members will ponder how an internet pioneer such as Yahoo could leave itself open to at least two massive cyber attacks. The merger and acquisition (M&A) world is equally interested by Verizon’s response: plough ahead, but slash the deal price by $350m.

Everything about the story is big and dramatic. But do not be fooled – only the numbers are truly exceptional. Most businesses are leaving themselves wide open to a cataclysmic hack, and most of them do not know it.

How do I know? For 12 years I was a federal prosecutor in the US Attorney’s Office in Manhattan, New York where I supervised the Complex Frauds and Cybercrime Unit. I spent a lot of time investigating bad guys such as Silk Road and Anonymous. Now I help businesses assess and manage cyber-security risks.

A buyer in an M&A situation will often ask me to do a cyber due-diligence check on a proposed target company. My team checks the target to see how open it is to a hack or breach. My report is often a sobering read.

While the consequences for some companies may not be as huge at those that have befallen Yahoo, they can be pretty bad.

I recently dealt with a client that had suffered a cyber attack that wiped out a database of billing records. The company made an insurance claim, but the loss was not covered by the terms of the policy. The victim lost more than a million dollars in revenue. That can be devastating to a company’s bottom line.

Companies do not need to be hacked to get tripped up by poor cyber security. Regulators in the healthcare and financial industries in the US, for example, have issued cyber-security guidelines and have placed regulated businesses under greater scrutiny. Complicated and expensive regulatory headaches can arise if an entity’s cyber-security programme is found to be inadequate.

As a final example, a cyber due diligence check that my team did in 2016 led to a deal getting called off. We did an audit of the target company. As far as we could tell, it had not been hacked, but its IT systems were so outdated and lacking in security that the purchaser would have had to spend hundreds of thousands of dollars on new equipment. This made the deal too expensive, so the buyer pulled out.

A single step towards cyber security

What can be done? Many readers of Computer Weekly undoubtedly have heard a long list of things companies should (and probably don’t) do to protect themselves. Even so, a journey of a thousand miles begins with a single step.

Companies should consider at least two actions: first, identify the scope of the computer infrastructure they own. Second, support and enable their cyber-security professionals to secure it.

Simply speaking, in my experience, many medium to large-sized companies do not know the full extent of their IT networks. If they do not know what they have, then they typically do not know what they need to secure.

As they grow, companies buy new IT platforms, patch up old ones, buy other businesses and incorporate those platforms. They upgrade their PCs – or sometimes they do not.

As a result, they often lose track of what they have. On top of that, a variety of other networks often have access to company systems, from third-party payment platforms to shared data rooms with joint venture partners. To save time, the networks often are created in an ad hoc fashion without regard to information security implications.

This is, unfortunately, normal – and it is a security headache. A company might spend hundreds of thousands of pounds on a cyber-security program, only to have it entirely negated because a back office is using an unsecured Wi-Fi network or unapproved, vulnerable software.

As soon as a company has worked out how much territory it has to secure, it can go about securing it. There is no one-size-fits-all approach to this problem. It involves, among other things, a customised review of the company’s technical infrastructure, its risk appetite, applicable guidelines, regulations or statutory regimes, and balancing security versus the company’s particular operational concerns.

It is inevitable that security recommendations will cost money or create headaches for the regular IT team.

For example, a company I recently advised was still using Microsoft Windows XP. As an operating system, it worked for them, but as Windows XP is no longer supported, it creates significant cyber-security issues. Advising them to update their system was unwelcome, expensive, and entirely necessary advice.

For that reason, senior management must empower and support a company’s cyber security programme. It must be properly funded, and recommendations must be made (and received) without fear or favour. To that end, cyber security must also exist separate from a company’s regular IT function, which in most instances is focused on, and has the most expertise with, operations rather than security.

Companies can, of course, continue to use outdated but inexpensive IT, and make do with haphazard and ad hoc networking arrangements. Many do. But I see the consequences, and it is not the option I would choose.

The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions, position, or policy of Berkeley Research Group, LLC or its other employees and affiliates.

Read more on Hackers and cybercrime prevention