Zscaler Data Protection Recognized as a 2023 Product of the Year by CRN

Zscaler Blog

Get the latest Zscaler blog updates in your inbox

News & Announcements

Don't Buy a Breach: Ten Cybersecurity Red Flags to Look for During M&A Due Diligence

March 15, 2019 - 5 min read

(This article originally appeared last month in Forbes.)

We’ve heard the pundits’ criticism: Marriott should have known better. The hospitality company’s recent and well-publicized security breach occurred when hackers exploited network-security vulnerabilities in its Starwood division, a subsidiary that Marriott purchased only three years ago. And actually, it’s the news of the breach that’s recent. The breaching itself began in 2014.

With the benefit of 20/20 hindsight, it’s easy to cast the first stones: In 2016, Marriott purchased a company with compromised infrastructure, and then unknowingly integrated that compromised network into its own infrastructure. The Marriott story doesn’t paint a pretty picture of traditional castle-and-moat security. (“Ignore that extra drawbridge.”)

Instead of piling on further, let’s instead learn from Marriott’s experience. (We in the cybersecurity industry should never let a breach go to waste.) This is a mergers and acquisitions (M&A) object lesson and highlights the crucial role cybersecurity validation and audits must play during the due-diligence phase.

In that spirit, below are 10 cybersecurity red flags for companies assessing acquisition infrastructure. If your target meets any of these criteria, it’s probably a good idea to start digging. It’s fair to assume its network may be vulnerable to attack:

  1. Missing, Weak, or Poorly Documented Security Practices
    Start with adherence to (and procedures based on) the latest NIST Cybersecurity FrameworkISO 27001, and SOC 2, and if you’re publicly traded, Sarbanes-Oxley (SOX). That compliance reporting should include documented, readily-accessible, and easily-understood policies and procedures. No documentation can signal poor information asset protection.
  2. No Audit History
    Can the company claim SOX compliance? When was the last SOX review? Does the company practice cadenced cybersecurity audits? Absent audit trails can suggest an undisciplined approach to information management and could even introduce legal vulnerabilities in the case of a subsequent breach.
  3. Poor Inventory-Tracking
    How well does the company track its assets, both tangible and intangible? (One tip: “It’s probably in the data lake” is not a good answer.) It’s difficult to flag theft if you don’t know what’s at risk of being stolen in the first place. Request a hardware asset inventory, application inventory, and data-asset inventory (with classification levels).
  4. Poor Application Tracking
    It’s any-time-of-the-day-o’clock. Do you know where your users are? What apps are they using? Do they bypass firewall proxies to connect directly to them? At a bare minimum, your target IT department should have comprehensive visibility to user app access (whether it can control that access or not).
  5. No Defined Security Boundary
    Traditional hub-and-spoke networks are difficult enough to secure in the first place -- even when you have a defined perimeter. It should go without saying that an undefined or uncontrolled network boundary is often as secure as no boundary at all. (And yet we have to keep saying it.) Instead, there should be a readily-accessible, well-articulated network architecture design document that clearly defines identifiable security ingress and egress points with clearly-defined boundaries.
  6. Reliance on Remote Local Admin
    An organization with users with remote local administrative privileges isn’t less secure at face value. But couple that with a lack of centralized privileged account management and you have a recipe for both complex resource management and even exploitation. You’re also vulnerable to the hit-by-a-bus scenario: When privileged users leave the company, you could lose access to remote assets. I recommend looking for a stated policy directive blocking remote-admin access to local email and internet-browsing, as well as enabled multifactor authentication (MFA) for local admin privileges.
  7. No Multi-Factor Authentication
    In my opinion, there’s little to debate here: MFA is more than a must. It’s a bare minimum for a secure threat posture. Any company without it is less secure than one employing at least a dual-evidence authentication mechanism.
  8. Underfunded or Undefined Security Budget
    It’s hard for some of us in the CISO community to believe, but this question must be asked: What’s your cybersecurity line item? Companies without a defined, detailed cybersecurity budget (or low investment in cybersecurity) may unintentionally obscure more than poor accounting.
  9. Lack of Architectural Discipline
    How well-defined is the company’s security architecture? Can you trust that scanned diagram on the PowerPoint slide? Has the company integrated its own acquisition infrastructure, or is it running duplicate systems? Poor discipline in managing security architecture -- including change-management tracking -- can suggest poor oversight and hint at potential vulnerabilities with legacy systems. Signs of good discipline include having an easily understandable, detailed network architectural design document outlining the company's network infrastructure, security stack, data-system integrations (with classification) and a well-defined technical reference model.
  10. Poor Integration with Business Processes
    How siloed is the company? Is cybersecurity tailored to the way employees actually work? How well do policies address remote, cloud, and mobile access? If end users “go rogue” and bypass corporate security, it may be because network security models don’t support the way those users prefer to work: direct connection via Starbucks Wi-Fi instead of via a slow, VPNed, backhauled journey through a distant corporate firewall gateway.

Should network infrastructure vulnerabilities block a potential corporate acquisition? Sometimes. But the better question to ask: How do you account for infrastructure-vulnerability risk when you're valuing a potential acquisition? As Marriott’s example suggests, identifying red flags is essential to M&A due-diligence success. That is, as long as IT is empowered to wave those red flags along the way.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Stan Lowe is Global CISO at Zscaler

form submtited
Thank you for reading

Was this post useful?

Explore more Zscaler blogs

A cyber criminal shopping for malware
Agniane Stealer: Dark Web’s Crypto Threat
Read Post
Business people walking through a city
The Impact of the SEC’s New Cybersecurity Policies
Read Post
Digital cloud illuminated in blue
Security Advisory: Remote Code Execution Vulnerability (CVE-2023-3519)
Read Post
The TOITOIN Trojan: Analyzing a New Multi-Stage Attack Targeting LATAM Region
Read Post
01 / 02
dots pattern

Get the latest Zscaler blog updates in your inbox

By submitting the form, you are agreeing to our privacy policy.