Alexey Vovk, Head of the Information Security Department at Kaspersky, cautions: “Acquiring an already established business can be an attractive option for example for entrepreneurs, given its potential for quick profitability, or similarly for large corporations that want to acquire innovative assets or intelligence that can expand their business. But over and above traditional legal, financial, and governance due diligence during such a process, cybersecurity must be a focal point too.”
At a minimum, consider conducting the following cybersecurity assessments before purchasing a new business:
- Existing cybersecurity measures: Investigate any past cybersecurity audits the company may have undertaken, even if they are self-conducted.
- Valuable assets: Identify the most valuable digital assets of the business. For an e-commerce platform, this might be the website, so a thorough vulnerability check is essential.
- Hosting and data management: Inquire about the company’s Web hosting provider and their reputation. Past security incidents might necessitate a change in hosting.
- Security standards: Depending on the nature of the business, there might be specific cybersecurity standards to adhere to. Even businesses without critical assets should have baseline security to thwart common threats like ransomware.
- Company reputation and data breaches: Research past data breaches and the subsequent remediation steps. Data leaks can tarnish a company’s reputation and cause legal repercussions.
However, Vovk goes on to caution that even beyond all the aforementioned sound advice, employee errors are also a concern and that can lead to significant data breaches. This is demonstrated in recent Kaspersky research carried out among employees in the Middle East, Turkey, and Africa region. A test with a phishing simulator built into the Kaspersky Automated Security Awareness Platform (KASAP) showed that 20% of employees would click on a malicious link, falling for scam emails with claimed corporate announcements.
“When buying a business, the acquiring organization must consider any previous cybersecurity training conducted for staff as well as non-disclosure agreements when it comes to employees and third parties handling sensitive data. Fundamentally, proper access controls for company resources must be implemented within the new entity to ensure data access is limited and revoked appropriately when employees depart,” says Vovk.
Additionally, it is also crucial to be familiar with laws pertaining to data protection and cybersecurity. This includes understanding the regional regulations and laws that outline the prescribed conditions for responsibly processing personal data.
“It must be stressed that when acquiring a company, you assume responsibility for its risks as well. Attaining and maintaining optimal business cyber resilience is an ongoing process. But, protecting yourself from new tricks by threat actors requires additional investments in digital business solutions, tools, and skills, setting the rules that comply with the law, and reviewing cybersecurity policies and new protections. Checking your cybersecurity level from the very beginning will help you reduce the likelihood of incidents, set a clear path for development, and achieve new goals,” concludes Vovk.
