June 28, 2023 By Sanara Marsh 4 min read

By attracting attention from threat actors, merger and acquisition (M&A) events are a significant source of cyber crime risk. So much so that, according to a 2020 IBM Institute of Business Value study, more than one in three executives said they experienced data breaches that can be attributed to M&A activity during integration.

Security ratings, provided by security rating services (SRS), can deliver an overview of risk to stakeholders. But attack surface management (ASM) tools give security teams actionable insight on a daily basis throughout the entire M&A process.

To reduce breach risk during what can be an incredibly stressful time, security teams need to understand how SRS and ASM solutions fit M&A challenges.

What are security rating services?

Security Rating Services are designed to measure an organization’s overall cybersecurity risk and provide a security rating score. Sometimes known as cyber risk ratings, these scores are intended to be a data-driven measurement of an organization’s security posture.

SRS can rate risk within a company’s own environment or in a third-party environment. They generally show risk as a number or a letter, similar to a test score. This cyber risk score is calculated based on active and passive data collected by the service provider. Different SRS providers use different algorithms and data inputs to get this score, and there is no standard method or measure of cyber risk scoring.

A typical SRS provider looks at external data sources specific to an organization. Then, it compares those sources to data sets about known cyber risk factors in similar organizations. These factors include:

  • The number of employees (phishing risk) and the volume of connected IP addresses
  • Types of security processes and tools in place
  • Open ports and web-accessible vulnerabilities, such as expired secure sockets layer (SSL) certificates.

SRS works like an opaque version of the financial industry’s credit scoring system that rates how likely a consumer is to repay a loan. According to SRS, a good score — usually a higher number or letter, such as an “A” — indicates a secure environment and a lower score indicates a higher-risk environment.

SRS limitations during an M&A

SRS helps turn complex conversations around risk into simple analyses for high-level assessment. However, they do not help improve a company’s security posture before, during or after an M&A happens for several reasons:

  • Delayed results. SRS results are based on outdated data. SRS typically only scans for connected assets every 10 to 14 days and relies on outdated databases for comparative risk analysis. During an M&A event, when continuous monitoring is essential, SRS does not give a company continuous insight into evolving attack surface risks. Ratings provided by SRS do not necessarily change for long periods of time, sometimes months.
  • Superficial analysis. SRS takes a high-level look at what external security risks exist but does not help security teams understand where attacks are likely to come from. Attack risk (what vulnerabilities and attack vectors are most likely to be compromised) is not assessed by SRS.
  • Inconsistent scoring. The reliability and trustworthiness of SRS suffer from disjointed scoring systems and a lack of transparency. Looking at the same company, different SRS are likely to provide different results due to their proprietary scoring mechanisms. It is also possible for proactive companies to receive poor security rating scores due to honeypot IP addresses or assets.

Using SRS during an M&A can still be useful for nontechnical stakeholders to understand potential risks at a high level. However, SRS does not help security professionals find and fix the attack vectors that emerge during an M&A event or improve their security rating. To do so, a more actionable process is needed to support the security teams on all sides of the equation.

Explore Randori Recon

Differences between ASM and SRS

ASM tools give chief information security officers and security practitioners insight into how an M&A changes internal and external attack surfaces. The threat landscape changes on a daily basis as new exploits, techniques and zero-day vulnerabilities appear. ASM keeps up with this evolutionary situation.

Used before, during and after an M&A, ASM is a continuous process of looking at the attack surfaces of the companies involved. ASM tools find known and unknown attackable assets (such as unpatched servers, unprotected IPs or forgotten cloud workloads) and plot paths to compromise just like a threat actor would.

Following are some of the core differences between SRS and ASM tools.

ASM tools:

  • Help security teams find and fix attack vectors during an M&A
  • Find attackable assets before threat actors can exploit them
  • Look at specific attack risks, such as which assets are most likely to be attacked, instead of general risk sources
  • Are continuous and should be done throughout the M&A process.

SRS tools:

  • Help understand risk at a high level
  • Provide insights for nontechnical stakeholders who look at acquisition targets
  • Give a general overview of the risk that a company faces relative to other companies
  • Do not identify attack vectors or help prioritize remediation.

To sum up, SRS provides a general rating of a company’s external risk, while ASM tools show security teams what assets and attack vectors they need to focus on during an M&A.

Why organizations turn to ASM during a merger

A merger can be one of the most stressful situations an IT team can encounter. During mergers, IT teams often must shift their focus toward merging different systems and away from security while many staff members move on to other roles.

A breach during this time can lead to outcomes that range from delays to dramatically reduced valuations. This makes prioritization critical.

A security rating score might be helpful to understand the situation by telling board members, “Yes, this acquisition target has a relatively small number of known assets connected to its network but does not patch them often.” However, a security rating score will not tell security teams which assets they must fix first.

ASM tools allow organizations on both sides of a deal to scan external assets and plot attack pathways. This helps organizations see how their environment changes during and after a merger event, highlighting new and evolving risks in real-time.

Learn how IBM Security Randori Recon can help bring clarity to your cyber risk and sign up for a free attack surface review.

More from Risk Management

Operationalize cyber risk quantification for smart security

4 min read - Organizations constantly face new tactics from cyber criminals who aim to compromise their most valuable assets. Yet despite evolving techniques, many security leaders still rely on subjective terms, such as low, medium and high, to communicate and manage cyber risk. These vague terms do not convey the necessary detail or insight to produce actionable outcomes that accurately identify, measure, manage and communicate cyber risks. As a result, executives and board members remain uninformed and ill-prepared to manage organizational risk effectively.…

The evolution of ransomware: Lessons for the future

5 min read - Ransomware has been part of the cyber crime ecosystem since the late 1980s and remains a major threat in the cyber landscape today. Evolving ransomware attacks are becoming increasingly more sophisticated as threat actors leverage vulnerabilities, social engineering and insider threats. While the future of ransomware is full of unknown threats, we can look to the past and recent trends to predict the future. 2005 to 2020: A rapidly changing landscape While the first ransomware incident was observed in 1989,…

Defense in depth: Layering your security coverage

2 min read - The more valuable a possession, the more steps you take to protect it. A home, for example, is protected by the lock systems on doors and windows, but the valuable or sensitive items that a criminal might steal are stored with even more security — in a locked filing cabinet or a safe. This provides layers of protection for the things you really don’t want a thief to get their hands on. You tailor each item’s protection accordingly, depending on…

The evolution of 20 years of cybersecurity awareness

3 min read - Since 2004, the White House and Congress have designated October National Cybersecurity Awareness Month. This year marks the 20th anniversary of this effort to raise awareness about the importance of cybersecurity and online safety. How have cybersecurity and malware evolved over the last two decades? What types of threat management tools surfaced and when? The Cybersecurity Awareness Month themes over the years give us a clue. 2004 - 2009: Inaugural year and beyond This early period emphasized general cybersecurity hygiene,…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today