March 03, 2021

Mergers and Acquisitions -- The High Price of Cloud Security Blindspots

How much would you pay for a Lexus GS? MSRP is $52,090 in 2021. Throw in All Wheel Drive and the Cold Weather Package and the price climbs to $55,090. 

But what if it was missing the pre-collision safety system or the airbags were faulty? What if you couldn't see the potential blindspots and pitfalls accompanying this big-ticket item? It probably wouldn’t be worth your investment; that's why there's a whole industry dedicated to unmasking vehicular blindspots, helping buyers avoid the lemons on the car market today. 

But what about when it comes to bigger--much bigger--decisions? 

Mergers and Acquisitions Save the Day but Come with Risk

In the corporate world, companies don't purchase cars, they purchase, and oftentimes merge, with other companies. Mergers and acquisitions are seen as the most important driver of inorganic growth that exists today and according to, “The value of M&A deals in the U.S. amounted to roughly 170 billion U.S. dollars in August 2020.” 

This massive valuation is in spite of COVID-19’s impact, and in fact, according to many experts, the M&A landscape is only going to grow more eventful as companies strategize their post-COVID comeback approach. Rick Smith of business rescue firm Forbes Burton says, “The advantages are obvious. Jobs can be saved, business can continue and it’s a great way for directors to exit if they feel they need to move on...Restructuring post-COVID could actually start a bidding battle for the most promising businesses.”

Suffice to say that in the coming months and years, it’s likely that M&A activity may reach all-time highs, despite the grey rain cloud that is the assumed post-COVID-19 economy.

But while mergers and acquisitions might just be the pandemic’s economic knight in shining armor, they come with more than a few risks, some of which are pretty obvious and some of which tend to get less attention. Anyone who has spent any time around business-y folk has heard, for example, about the need to perform Due Diligence audits to assess financial, contractual, and compliance risks when preparing to buy or combine with another company. There are also risks involving the merging of two disparate work cultures, which can lead to employee resentment and hard feelings. 

The Cyber Risks of M&As 

One area that tends to get overlooked though is that of the cyber security risks and the blindspots that result from combining or acquiring a new IT environment. In fact, according to risk and mitigation firm Aon, “less than 10% deals globally contain Cyber Security Due Diligence today. For some deal teams, Cyber is not considered material enough to look at during pre-deal and that all this technical stuff is best to look at post-deal.” 

Somehow, all these companies that throw cyber-caution to the wind seem to be forgetting about the Verizon/Yahoo! deal, which saw a 7% drop in valuation after Yahoo! disclosed that they had been involved in a major data breach. And then there’s the case of Marriott Hotels, which was breached via their Starwood Hotels and Resorts subsidiary; Starwood was first breached in 2014, well before the epic acquisition, and was first alerted of the breach in 2018, some two years post-acquisition. In the aftermath of the breach, the hospitality giant has had to pay out 18.4 million Euros in breach fines. Says the BBC, “The cyber-criminals had been in the systems for years, and were effectively thrown into the merger deal without Marriott having a clue. Herein lies the issue, though - it seems the larger hotel didn't check what it was buying.”

This dangerous lack of visibility can allow attackers to leapfrog from a lesser target to a more exciting prospect and according to PWC, “The period between a deal’s announcement and closing is of particular exposure if vulnerabilities exist, given the heightened awareness and opportunity.” 

Merging IT Environments (Cloud, Multi-Cloud, On-prem) Compounds Complexities

This is made all the more complex and probable as two companies attempt to merge IT environments into one cohesive framework. In fact, even in cases where proper cyber hygiene practices have been observed and both sides can confidently pat themselves on the back for a cyber job-well-done, the combining of IT environments in-and-of-itself should be cause for concern in M&As. 

Even when both parties use cloud-based infrastructure, chances are that they use different cloud providers, resulting in a multi-cloud environment. Multi-cloud environments can be challenging in best case scenarios; In the case of most M&As, the acquiring company doesn't yet have the tools, visibility, and knowledge to assess the security issues that may arise as a result of the integration. And when one of the environments is on-prem, getting these two different environments aligned becomes an even greater challenge

And in cases where, by luck, both parties use the same cloud vendor, they likely use different methodologies and architectures, such as serverless, containers, Kubernetes tools, etc. For example, let's say one company acquires another company that uses Kubernetes and didn't perform thorough cloud risk analysis. If the SalesForce admin token can be accessed via the Kubernetes pod, then any attacker who gains access to the acquired company can get access to the SalesForce of the acquiring company.

Moreover, the C-level execs who ultimately make the decisions regarding M&As usually understand little about the technical ramifications of such moves. This leaves IT, security, and cloud teams to deal with the potential integration mess and any subsequent security blindspots that arise in its wake. 

And aside from their disparate cloud environments, there are the myriad applications, devices, servers, etc, to be accounted for. The lack of full insight into the newly acquired environment is perfect breeding ground for attackers to infiltrate unnoticed. 

Cloud Security Analysis -- What May be Missing From M&A Due Diligence 

Of course, all of this isn't to say that M&As shouldn't take place; 

Certainly they should, especially since they are going to be a major factor in ensuring a stronger overall economy in years to come. What it does mean is that IT and cyber security considerations MUST play a more paramount role in the Due Diligence process, right up there with legal, financial, business, and vendor analyses. 

Lightspin’s contextual cloud security platform for cloud native and Kubernetes environments enables teams to perform cloud security audits to proactively detect security shortcomings that can sour M&A deals. With Lightspin, your team can continuously visualize, detect, and block any attack path in your cloud, Kubernetes and microservices environment, enabling you to reduce risks while establishing a clear plan for remediation. It delivers simple instructions for mitigation of all threats, allowing prioritization based on real risks and enables your team, whichever side of the M&A you're on to see your environment as an attacker and quickly address those weaknesses. 

Lightspin - The Key to Contextual Cloud Security Assessments 

As the corporate world navigates post-COVID, M&As will continue to be a driving economic force. If you're currently involved in one, it’s quite clear that you don't want to wind up with a lemon (and you definitely do not want to be that lemon!). With Lightspin, you can establish visibility across your cloud environment to create a contextual understanding of the environment to ensure no risks go unnoticed. 

To learn more about getting started with contextual cloud security, reach out to Lightspin today.


About Lightspin

Lightspin’s context-based cloud security empowers cloud and security teams to eliminate risks and maximize productivity by proactively and automatically detecting all security risks, smartly prioritizing the most critical issues, and easily fixing them. For more information, visit