Securing organizations during mergers and acquisitions

(Image credit: / Pexels)

In today’s digital world, cybersecurity can no longer be overlooked by businesses and this is especially true during a merger or acquisition. In fact, according to Deloitte’s Future of M&A Trends survey, 51 percent of M&A executives at companies in the US listed cybersecurity threats as their top concern when managing deals virtually. At the same time, security teams are often given little notice of an M&A event and are required to perform a comprehensive security assessment with less time than they need to do so.

To help organizations evaluate the security posture of M&A targets, Bugcrowd has launched a new solution called Bugcrowd M&A Assessment. To learn more about the firm’s new solution, TechRadar Pro spoke with Bugcrowd’s CEO and President Ashish Gupta.

How long do businesses normally spend on a security assessment during a Merger and Acquisition?

Not long enough. Security leaders are typically given less than 4-5 weeks to perform a comprehensive security assessment of an acquisition target. This includes activities like pen testing, asset inventory, and code review of any open-source components. 

Hacker Typing

(Image credit: Shutterstock)

Do cybercriminals often target businesses once news of a M&A goes public?

Cybercriminals routinely prey upon companies during M&A activities, evaluating the best window of opportunity in which to maximize the exploitation of a critical vulnerability.

When a M&A announcement goes public, attackers can multiply their malicious hunting activity as they search for unmonitored assets in the acquired company that can serve as an entry-point to the larger organization post-acquisition and integration. An example of such a case where an acquisition was targeted is when Marriott acquired Starwood in 2016. Marriott failed to perform a comprehensive cybersecurity audit during the M&A process and, as a result, Marriott discovered in 2018 that its Starwood systems had been compromised since 2014. This led to hundreds of millions of consumers’ information being exposed, unquantifiable reputational damage, and Marriott being levied with a hefty $120 million fine from the UK Information Commissioner’s Office (ICO), with additional penalties likely to follow. 

Can you tell us a bit more about the Bugcrowd M&A Assessment package and what motivated your organization to launch this new solution?

Bugcrowd M&A Assessment is a pre-packaged bundle of security tests that combine remotely-deployed pen tests with the advanced asset discovery, alerting, attribution, prioritization and management capabilities of our Attack Surface Management: Asset Inventory solution. With our solution, customers can initiate pre-acquisition assessments in 72 hours or less (record time for the industry) and access results in real-time through the Bugcrowd platform, expediting an evidence-based evaluation of a merger target’s cybersecurity posture. As a result, organizations can make more informed decisions about potential acquisition targets and partnerships.

We developed the M&A Assessment package in response to long-time customers of our pen testing and bug bounty solutions wanting to adapt those products to fulfill their security assessments during the due diligence period in the M&A process. This meant we needed to reduce the launch time of these pen test assessments even further while adding functionality for quickly scanning and monitoring changes to an acquisition target’s attack surfaces, and tie these solutions together with a new layer of executive reporting.

Two People Working on Laptop

(Image credit: Pexels)

How does your new solution differ from the assessments performed by traditional penetration testing shops and what are the biggest advantages?

The three challenges we heard from customers were their desire to obtain access to the right skilled resources for their specific use case instead of just getting whoever is available, the need for rapid e time to launch, and avoidance of settling for too narrow of a scope because the right skilled resources are not available to test their entire environment.

Unfortunately, many organizations attempting to engage traditional pen test providers have been faced with deciding between time to launch and quality of results. This could result in a significant skills-mismatch between testers and target. Organizations often won’t see the true impact of this scenario until weeks later, when the final report is delivered, and it’s too late to perform another. Another option we see companies using are scanners that can perform a quick high-level assessment by checking for common vulnerabilities (CVEs). This option has become particularly popular for speed, though also leaves customers with mounds of false positives they won’t have time to review. If organizations choose this route they should have a plan to quickly activate necessary resources to comb through results and deliver final recommendations.

Bugcrowd’s new solution dramatically differs from these options by providing immediate access to the right resources matched by skill and experience from a carefully curated group of several hundred thousands security professionals, not just availability. Additionally, Bugcrowd’s M&A Assessment can be launched in as little as 72 hours, and will instantly stream results to forecast outcomes prior to final report rendering so there are no surprises two to three weeks down the road. Finally, with Bugcrowd, organizations can take a fully-managed approach to ensure critical insights are validated, distilled, and prioritized for immediate action.

Can you tell us about your CrowdMatch skills matching technology and how it determines which testers are best suited for an assessment?

Our CrowdMatch technology integrates years of program and ethical hacker data within our platform to help automatically match the right team for each customer’s unique engagement. With hundreds of thousands of active hackers, customers have a deep bench of researchers to work with on their programs.

Specifically for our M&A Assessment, CrowdMatch taps researchers that have experience in the cybersecurity due diligence portion of the M&A process, as well as researchers that specialize in the specific industry of the acquisition target and digital assets that need to be tested.

Security Researcher

(Image credit: Shutterstock / Roman Samborskyi)

How long has Bugcrowd used a fully-remote crowdsourced model for testing and what are the benefits of this approach?

Since Bugcrowd’s inception in 2012, we have harnessed the power and ingenuity of the global researcher community to help identify, prioritize and fix security vulnerabilities. Through the combination of our intelligent platform and the researcher community, our customers leverage on-demand security talent, tools, and partners to augment their internal resources, prioritize and remedy their hardest-to-find security vulnerabilities. In this manner, we uniquely deliver a layered security approach - serving as a force multiplier in our customers’ security strategy.

What are the advantages of choosing the option to incentivize researchers per vulnerability?

All Bugrowd programs harness the collective potential of a global network of vetted and ranked researchers. The sheer volume of willing participants means we have our pick of whom to invite to each program based on their skill, experience and past performance. Many researchers prefer a payment structure that is more predictable, which eliminates risk while maximizing return.

This is how our payment models are configured - pen testers are paid a set amount with an opportunity for a bonus if they complete the test to our standard of quality. Our Next Gen Pen Test, a pay-per-finding, continuous testing solution, typically garners around 10 to 15 times more findings than incumbent traditional pen test solutions. This is the solution our exceptionally talented researchers often prefer as they have confidence in their ability to surface truly critical and therefore more lucrative vulnerabilities.

On the other hand, our Classic Pen Test, which is a pay-per-project solution with incentives paid per finding, is geared toward companies looking for an on-demand solution with testing completed over a defined period on project scope. Classic Pen Test will generate five times more findings than incumbent traditional pen test solutions.

Both of these incentivized options lead to longer-term researcher loyalty, as star performers are eager to continue working with organizations that reward their individual efforts.


(Image credit: Shutterstock)

Can you tell us more about your platform’s real-time vulnerability view and the kind of information organizations will be able to see during a M&A assessment?

There are two key aspects to the M&A Assessment - visibility of the attack surface and identifying security vulnerabilities that create risk. The Asset Inventory product available through the M&A Assessment package surfaces and fingerprints assets that have a high likelihood of belonging to the target organization. Discovered domains are suggested as potential inventory-adds, and organizations can accept or reject as necessary. Once this is done, Asset Inventory alerts on high-risk activity like expired or expiring certificates, exposed IP, and open ports. The initial inventory takes 2-3 days to “fully bake” at program outset, though this is dramatically lower than competitive products as Asset Inventory takes an “outside-in” approach through a pre-indexation of the entire known internet. 

Vulnerabilities surfaced in the pen test portion of the assessment are also viewable in real-time through the platform. However, customers may choose to wait until after Bugcrowd’s dedicated triage team performs their initial validation, categorization, and prioritization exercises which enrich available data while reducing noise.

The expert analysis and risk scoring provided by the M&A Assessment enables Bugcrowd customers to make faster and smarter go/no-go decisions during the M&A process.