By attracting attention from threat actors, merger and acquisition (M&A) events are a significant source of cyber crime risk. So much so that, according to a 2020 IBM Institute of Business Value study, more than one in three executives said they experienced data breaches that can be attributed to M&A activity during integration.

Security ratings, provided by security rating services (SRS), can deliver an overview of risk to stakeholders. But attack surface management (ASM) tools give security teams actionable insight on a daily basis throughout the entire M&A process.

To reduce breach risk during what can be an incredibly stressful time, security teams need to understand how SRS and ASM solutions fit M&A challenges.

What are security rating services?

Security Rating Services are designed to measure an organization’s overall cybersecurity risk and provide a security rating score. Sometimes known as cyber risk ratings, these scores are intended to be a data-driven measurement of an organization’s security posture.

SRS can rate risk within a company’s own environment or in a third-party environment. They generally show risk as a number or a letter, similar to a test score. This cyber risk score is calculated based on active and passive data collected by the service provider. Different SRS providers use different algorithms and data inputs to get this score, and there is no standard method or measure of cyber risk scoring.

A typical SRS provider looks at external data sources specific to an organization. Then, it compares those sources to data sets about known cyber risk factors in similar organizations. These factors include:

• The number of employees (phishing risk) and the volume of connected IP addresses
• Types of security processes and tools in place
• Open ports and web-accessible vulnerabilities, such as expired secure sockets layer (SSL) certificates.

SRS works like an opaque version of the financial industry’s credit scoring system that rates how likely a consumer is to repay a loan. According to SRS, a good score — usually a higher number or letter, such as an “A” — indicates a secure environment and a lower score indicates a higher-risk environment.

SRS limitations during an M&A

SRS helps turn complex conversations around risk into simple analyses for high-level assessment. However, they do not help improve a company’s security posture before, during or after an M&A happens for several reasons:

• Delayed results. SRS results are based on outdated data. SRS typically only scans for connected assets every 10 to 14 days and relies on outdated databases for comparative risk analysis. During an M&A event, when continuous monitoring is essential, SRS does not give a company continuous insight into evolving attack surface risks. Ratings provided by SRS do not necessarily change for long periods of time, sometimes months.
• Superficial analysis. SRS takes a high-level look at what external security risks exist but does not help security teams understand where attacks are likely to come from. Attack risk (what vulnerabilities and attack vectors are most likely to be compromised) is not assessed by SRS.
• Inconsistent scoring. The reliability and trustworthiness of SRS suffer from disjointed scoring systems and a lack of transparency. Looking at the same company, different SRS are likely to provide different results due to their proprietary scoring mechanisms. It is also possible for proactive companies to receive poor security rating scores due to honeypot IP addresses or assets.

Using SRS during an M&A can still be useful for nontechnical stakeholders to understand potential risks at a high level. However, SRS does not help security professionals find and fix the attack vectors that emerge during an M&A event or improve their security rating. To do so, a more actionable process is needed to support the security teams on all sides of the equation.

Differences between ASM and SRS

ASM tools give chief information security officers and security practitioners insight into how an M&A changes internal and external attack surfaces. The threat landscape changes on a daily basis as new exploits, techniques and zero-day vulnerabilities appear. ASM keeps up with this evolutionary situation.

Used before, during and after an M&A, ASM is a continuous process of looking at the attack surfaces of the companies involved. ASM tools find known and unknown attackable assets (such as unpatched servers, unprotected IPs or forgotten cloud workloads) and plot paths to compromise just like a threat actor would.

Following are some of the core differences between SRS and ASM tools.

ASM tools:

• Help security teams find and fix attack vectors during an M&A
• Find attackable assets before threat actors can exploit them
• Look at specific attack risks, such as which assets are most likely to be attacked, instead of general risk sources
• Are continuous and should be done throughout the M&A process.

SRS tools:

• Help understand risk at a high level
• Provide insights for nontechnical stakeholders who look at acquisition targets
• Give a general overview of the risk that a company faces relative to other companies
• Do not identify attack vectors or help prioritize remediation.

To sum up, SRS provides a general rating of a company’s external risk, while ASM tools show security teams what assets and attack vectors they need to focus on during an M&A.

Why organizations turn to ASM during a merger

A merger can be one of the most stressful situations an IT team can encounter. During mergers, IT teams often must shift their focus toward merging different systems and away from security while many staff members move on to other roles.

A breach during this time can lead to outcomes that range from delays to dramatically reduced valuations. This makes prioritization critical.

A security rating score might be helpful to understand the situation by telling board members, “Yes, this acquisition target has a relatively small number of known assets connected to its network but does not patch them often.” However, a security rating score will not tell security teams which assets they must fix first.

ASM tools allow organizations on both sides of a deal to scan external assets and plot attack pathways. This helps organizations see how their environment changes during and after a merger event, highlighting new and evolving risks in real-time.

Learn how IBM Security Randori Recon can help bring clarity to your cyber risk and sign up for a free attack surface review.