Mergers and acquisitions (M&A) have been challenging for IT and security teams for as long as businesses have relied on technology. Every company’s IT system is as unique as the company itself. Your business may run on commonly used tools and apps, and industry best practices to deploy and configure them. Nevertheless, these systems get molded to the specific needs of the business over time.

Bringing Two Disparate Systems Together

This can make the M&A process difficult when it comes to bringing together the technical systems and security needs on which the merged companies must function. This can result in drawn-out projects that may take years to fully transition to one IT pipeline.

The growth of cloud platforms has made these already challenging processes more complex. First, many apps used for work moved to a software-as-a-service model. In addition, the assets which comprise the products and unique selling points of many businesses now reside in one of the many cloud-hosted platforms. They aren’t physical assets in a data center anymore.

In order to help address these challenges, assess and review tech early in the M&A cycle. It’s tempting to assess targets based mainly on their places in the market. After all, companies acquiring others want to fill a gap in their portfolio or own a specific tool or service. Checking for tech bottlenecks often comes late in the M&A cycle, leaving little time to consider the impact they will have on the future.

How Using OSINT Helps

This is where open-source intelligence (OSINT) can help. It lets an acquirer assess a potential target’s defenses and understand many aspects of the way it runs long before getting into the weeds of due diligence. As the name suggests, OSINT combines free, openly available information gathered from different sources. It builds a picture of a company’s posture and is uniquely positioned to assess cloud defenses.

The simplest route to get to know a company’s cloud security posture is to get OSINT health reports. These cover a lot of potential issues directly tied to the way the target company runs. They also pull their source data from multiple public scans and repositories. They can compare these with other, similar industry players, allowing a simple visual contrast with business rivals.

OSINT Checklist

Some areas that an OSINT report will cover include:

  • Platforms and services – What cloud-hosting platforms and services does the target use? What tech underpins their offerings and operations?
  • Indications of compromise (IOCs) – Do the company’s IP addresses, servers or domain names appear in the IOC list of malware infections, botnets or spam?
  • Email security – What platform does the company use? Has the company configured SPF, DMARC or DKIM records or have open relays on their infrastructure?
  • Reported breaches or incidents –  Has the company been the victim of any attacks they reported to a data protection body?
  • Certificates – Does the company employ strong TLS configurations and relevant, up-to-date certificates?
  • Application and server patching – Does the company keep its online assets up to date with both server and app updates?
  • Application security – Do any public-facing apps contain vulnerabilities or misconfigurations?
  • Footprint – From what locations does the company operate, including any cloud-based platforms or regional services? What IP addresses, domain names and other web properties does it own?
  • Supply chains – What parts of their web-facing infrastructure does the company farm out to partners, such as developers, white-boxed services or subcontractors?

Assessing Information Security Resources

Knowing all of this helps to indicate the resources put towards information security generally, most importantly the delivery and management of those systems and services that face the public internet. A poor score in one or more areas may suggest a weakness in a certain skill set or a blind spot in defenses.

A lot can be inferred from the pictures they paint. For example, the use of a specific cloud-hosting platform or underlying tech can guide the acquirer towards picking a target that aligns with their tech base, helping smooth the transition. It will also be obvious right away if you will need to standardize towards a certain platform, such as moving from G-Suite to Microsoft 365.

The use of OSINT doesn’t replace the need for due diligence of IT systems and security practices once the acquisition is underway. However, it can help build a picture of how seriously a company takes security. In doing so, it reduces the risk of any nasty surprises further down the line.

More from Intelligence & Analytics

What makes a trailblazer? Inspired by John Mulaney’s Dreamforce roast

4 min read - When you bring a comedian to offer a keynote address, you need to expect the unexpected.But it is a good bet that no one in the crowd at Salesforce’s Dreamforce conference expected John Mulaney to tell a crowd of thousands of tech trailblazers that they were, in fact, not trailblazers at all.“The fact that there are 45,000 ‘trailblazers’ here couldn’t devalue the title anymore,” Mulaney told the audience.Maybe it was meant as nothing more than a punch line, but Mulaney’s…

New report shows ongoing gender pay gap in cybersecurity

3 min read - The gender gap in cybersecurity isn’t a new issue. The lack of women in cybersecurity and IT has been making headlines for years — even decades. While progress has been made, there is still significant work to do, especially regarding salary.The recent  ISC2 Cybersecurity Workforce Study highlighted numerous cybersecurity issues regarding women in the field. In fact, only 17% of the 14,865 respondents to the survey were women.Pay gap between men and womenOne of the most concerning disparities revealed by…

Protecting your data and environment from unknown external risks

3 min read - Cybersecurity professionals always keep their eye out for trends and patterns to stay one step ahead of cyber criminals. The IBM X-Force does the same when working with customers. Over the past few years, clients have often asked the team about threats outside their internal environment, such as data leakage, brand impersonation, stolen credentials and phishing sites. To help customers overcome these often unknown and unexpected risks that are often outside of their control, the team created Cyber Exposure Insights…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today