M&A can be a target for threats by hackers.
“It's all about money to them,” says Jerry Bessette, COO at Cyber Defense Labs, who was with the FBI for 24 years. “They make millions and millions of dollars illegally doing this. And why would they want to target the M&A industry? For two simple reasons. One, you have money. Two, you have a digital presence.”
Many of the attacks are on massive organizations that spend millions of dollars on cybersecurity, yet they were still hacked. He says the FBI reports that since 2016, there have been 4,000 such attacks each day.
“Not all of them are those big, famous attacks. Many of them are attacks against companies like ones in this room,” he said at the Dallas Smart Business Dealmakers Conference. “One, because you probably have vulnerabilities you either know about and have done nothing with or you don't know about, and secondly, you have money. And three, you're on the internet — you have a digital presence.”
Companies, he says, need incident response readiness. And the core of that is having an incident response plan, which includes a statement of management commitment.
“It has to come from the CEO down all the way to the clerk, the person that answers the phone or pays the bills, that we are committed to cyber security and having a robust program,” he says.
In that response plan, companies must outline what they're going to do when a breach occurs. They’ll need to identify the impact on a criticality scale and with a common language used within the company — a yellow level incident versus, say, a red level incident. It also identifies individual roles and responsibilities for how to respond.
“A lot of people think automatically, ‘The IT guy or the IT gal is going to manage the incident.’ Well, more often than not, they're not the one that's managing the incident,” Bessette says. “I often see the CFO managing the incident. I've seen CFOs screaming and yelling on phone calls. This doesn't happen on Tuesday at noon. This happens on Saturday night at midnight. And so, you need to know individual roles and responsibilities.”
Companies should also know who will be responsible for conducting the investigation, talking to customers, and even business partners.
“Unfortunately, word typically always leaks out that there's been some type of a cyber incident, and the first move on the part of anybody that has a digital connection with you, whether they're a supplier, a vendor, a customer, is to cut all ties,” he says. “So, they're going to take an already bad situation where maybe you're down, you're losing $500,000 a day, $1 million dollars a day, $2 million a day, depending on the nature of the business that you're in, and now you can no longer get supplied. Banks will cut you off because they most certainly don't want that ransomware coming upstream to them — third-party, vendor management, supplier attacks, that's a huge vulnerability.”
There are also run books that explain what to do for ransomware attacks or a network intrusion, or if an insider is the issue. Additionally, the plan should outline who to call — the local FBI office, external lawyers, insurance company — because if the networks are locked up, so is that information. So, he says, companies should have paper copies of the incident response plan.
Companies should also have more than one person who can lead the response.
“You take that once-in-a-lifetime vacation to go climb a mountain in Tibet or go to a yoga retreat where you're going to digitally detach and leave your phone and turn it off all day,” he says. “Meanwhile, the company is falling apart back in Dallas because they're under ransomware attack, and you're supposed to be running the incident response or the customer liaison, and nobody knows who your backup is.”
Despite the rising number of incidents and the significant consequences of a breach, he says 40 percent of companies still do not have an incident response plan.
But just having an incident plan isn’t enough. He says companies need to practice it. Not only does it familiarize people to their roles, but during these practice sessions something usually comes out that wasn’t previously considered.
“Your World Series, your Super Bowl, is the day you get attacked,” Bessette says. “Your company is at a complete standstill and you're bleeding money, and you got the regulators breathing down your neck, and you have customers calling you up. So, you want to be ready for that, and you don't want that to be the first day you step on the playing field.”
He says companies with a growth strategy that relies on acquisitions need to use caution when integrating. Buyers need to have a plan and bring the acquired company up to the necessary standards before integrating to stay insulated.
“It's bad if they get attacked, but it's worse if, not only do they get attacked, but now they spread it to the acquiring organization and all the other companies within that organization,” he says. “So, don't rush to integrate. Make sure that you have a defined standard. You educate yourself on some of the questions and some of the things you should be seeing out there. Do they have an individual responsible for information security? What are those qualifications? Do they have MFA, endpoint detection response, asset vulnerability management? You don't have to know how to do it, but it's still important that you educate yourself so you can understand what you're looking at in the company that you're acquiring.”