How To Eliminate The Cybersecurity Risks When Buying A Business

Acquiring or merging with another business invariably means integrating digital systems, networks, and data. This integration process can expose both parties to cyber threats if not managed correctly.

With the global business landscape becoming increasingly interconnected, mergers and acquisitions (M&A) have been surging as companies look for growth, diversification, and strategic positioning. According to an E&Y report, in the Middle East region there was a 42% increase in the total value of merger and acquisition (M&A) deals in Q1 2023 compared to the same period in 2022. Overall, the first quarter of the year saw 165 deals amounting to US$25.8b. This emphasizes the region’s prominence in global business. However, Kaspersky experts warn that such an upswing in M&A also underscores the need for vigilant cybersecurity practices.

Alexey Vovk, Head of Information Security Department at Kaspersky, cautions: “Acquiring an already established business can be an attractive option for example for entrepreneurs, given its potential for quick profitability, or similarly for large corporations that want to acquire innovative assets or intelligence that can expand their business. But over and above traditional legal, financial and governance due diligence during such a process, cybersecurity must be a focal point too.”

Some of the cybersecurity assessments that should be considered at a minimum, before buying a new business, include:

  • Existing cybersecurity measures: Investigate any past cybersecurity audits the company may have undertaken, even if they are self-conducted.
  • Valuable assets: Identify the most valuable digital assets of the business. For an e-commerce platform, this might be the website, so a thorough vulnerability check is essential.
  • Hosting and data management: Inquire about the company’s Web hosting provider and their reputation. Past security incidents might necessitate a change in hosting.
  • Security standards: Depending on the nature of the business, there might be specific cybersecurity standards to adhere to. Even businesses without critical assets should have baseline security to thwart common threats like ransomware.
  • Company reputation and data breaches: Research past data breaches and the subsequent remediation steps. Data leaks can tarnish a company’s reputation and invite legal repercussions.

However, Vovk goes on to caution that even beyond all the aforementioned sound advice, employee errors are also a concern and that can lead to significant data breaches. This is demonstrated in recent Kaspersky research carried out among employees in the Middle East, Turkiye and Africa region. A test with a phishing simulator built into the Kaspersky Automated Security Awareness Platform (KASAP) showed that 20% of employees would click on a malicious link, falling for scam emails with claimed corporate announcements.

“When buying a business, the acquiring organisation must consider any previous cybersecurity training conducted for staff as well as non-disclosure agreements when it comes to employees and third parties handling sensitive data. Fundamentally, proper access controls for company resources must be implemented within the new entity to ensure data access is limited and revoked appropriately when employees depart,” says Vovk.

Additionally, it is also crucial to be familiar with laws pertaining to data protection and cybersecurity. This includes understanding the regional regulations and laws that outline the prescribed conditions for responsibly processing personal data.

“It must be stressed that when acquiring a company, you assume responsibility for its risks as well. Attaining and maintaining optimal business cyber resilience is an ongoing process. But, protecting yourself from new tricks by threat actors requires additional investments in digital business solutions, tools and skills, setting the rules that comply with the law, and reviewing cybersecurity policies and new protections. Checking your cybersecurity level from the very beginning will help you reduce the likelihood of incidents, set a clear path for development, and achieve new goals,” concludes Vovk.