Mergers and acquisitions (M&A) have been challenging for IT and security teams for as long as businesses have relied on technology. Every company’s IT system is as unique as the company itself. Your business may run on commonly used tools and apps, and industry best practices to deploy and configure them. Nevertheless, these systems get molded to the specific needs of the business over time.

Bringing Two Disparate Systems Together

This can make the M&A process difficult when it comes to bringing together the technical systems and security needs on which the merged companies must function. This can result in drawn-out projects that may take years to fully transition to one IT pipeline.

The growth of cloud platforms has made these already challenging processes more complex. First, many apps used for work moved to a software-as-a-service model. In addition, the assets which comprise the products and unique selling points of many businesses now reside in one of the many cloud-hosted platforms. They aren’t physical assets in a data center anymore.

In order to help address these challenges, assess and review tech early in the M&A cycle. It’s tempting to assess targets based mainly on their places in the market. After all, companies acquiring others want to fill a gap in their portfolio or own a specific tool or service. Checking for tech bottlenecks often comes late in the M&A cycle, leaving little time to consider the impact they will have on the future.

How Using OSINT Helps

This is where open-source intelligence (OSINT) can help. It lets an acquirer assess a potential target’s defenses and understand many aspects of the way it runs long before getting into the weeds of due diligence. As the name suggests, OSINT combines free, openly available information gathered from different sources. It builds a picture of a company’s posture and is uniquely positioned to assess cloud defenses.

The simplest route to get to know a company’s cloud security posture is to get OSINT health reports. These cover a lot of potential issues directly tied to the way the target company runs. They also pull their source data from multiple public scans and repositories. They can compare these with other, similar industry players, allowing a simple visual contrast with business rivals.

OSINT Checklist

Some areas that an OSINT report will cover include:

• Platforms and services – What cloud-hosting platforms and services does the target use? What tech underpins their offerings and operations?
• Indications of compromise (IOCs) – Do the company’s IP addresses, servers or domain names appear in the IOC list of malware infections, botnets or spam?
• Email security – What platform does the company use? Has the company configured SPF, DMARC or DKIM records or have open relays on their infrastructure?
• Reported breaches or incidents –  Has the company been the victim of any attacks they reported to a data protection body?
• Certificates – Does the company employ strong TLS configurations and relevant, up-to-date certificates?
• Application and server patching – Does the company keep its online assets up to date with both server and app updates?
• Application security – Do any public-facing apps contain vulnerabilities or misconfigurations?
• Footprint – From what locations does the company operate, including any cloud-based platforms or regional services? What IP addresses, domain names and other web properties does it own?
• Supply chains – What parts of their web-facing infrastructure does the company farm out to partners, such as developers, white-boxed services or subcontractors?

Assessing Information Security Resources

Knowing all of this helps to indicate the resources put towards information security generally, most importantly the delivery and management of those systems and services that face the public internet. A poor score in one or more areas may suggest a weakness in a certain skill set or a blind spot in defenses.

A lot can be inferred from the pictures they paint. For example, the use of a specific cloud-hosting platform or underlying tech can guide the acquirer towards picking a target that aligns with their tech base, helping smooth the transition. It will also be obvious right away if you will need to standardize towards a certain platform, such as moving from G-Suite to Microsoft 365.

The use of OSINT doesn’t replace the need for due diligence of IT systems and security practices once the acquisition is underway. However, it can help build a picture of how seriously a company takes security. In doing so, it reduces the risk of any nasty surprises further down the line.