When acquiring a business, there are tried and tested approaches to due diligence. This is not my domain of expertise, however the City has legions of professionals all highly skilled when it comes to this sort of thing. As per any purchase there will always be an element of 'caveat emptor', however all being well the checks and balances will have determined that you are buying what you think you are.
Now a question that we are increasing asked, is how do you go about ensuring that a given business is cyber secure? This is where things start to get a bit more challenging, identifying risks that are much more difficult to assess and are more than likely going to fall outside of the scope of more traditional due diligence.
Given that it is assumed that all businesses will incur a data breach at some point and the majority are likely to go unnoticed for months on end, it is possible that an acquired business could come with a rather nasty surprise already lurking in its midst.
And herein lies another use for the Canary, a solution that I have referenced in previous posts. A 'Deception' solution without all the complexities, a Canary can be deployed strategically across a network to spot lateral movement of attackers who could be embedded within an company that is about to be acquired. The ease with which Canaries can be deployed, and managed means that they can be up and running and doing their job within minutes.
Any issues will be picked up quickly, free from a barrage of false positives. What's more the Canaries can remain in situ whilst the acquired business is being integrated into its new parent.
And by then we'd like to think that the Canary will have more than proven its worth and found a home across the entire business!
When you acquire a new company, don’t just transfer the domain over and sit back. You are now responsible for that companies infrastructure. Decommission it or integrate it properly into your security testing schedule.