Vishaal “V8” Hariprasad, CEO and cofounder of Resilience, the leading cyber risk solution company.
Earlier this summer, an incident tied to CrowdStrike software rocked the world, causing grounded flights and widespread system outages, with thousands of people directly affected. This was a result of a faulty software update, software that is coincidentally intended to stop hackers and prevent incidents such as this. With CrowdStrike partnering with over half of the Fortune 500 companies, more than half of the Fortune 1000 companies, and 80% of the top financial firms, the ripple effect was extensive.
While this instance wasn’t a result of a cybersecurity incident but instead a glitchy software update, it exposed the kind of digital interdependence we’re seeing across our own clients at Resilience, creating new security challenges for companies, no matter the size or industry. This exposure is something that we saw throughout our portfolio over the past year and a half, with the overwhelming issue of consolidation standing out among the rest.
Consolidation at both the business (M&A) and technological (software vendor partnerships) level are exposing companies to cyber risk. What businesses might not realize is that integrating systems during a merger or partnering digitally can produce unintended security gaps and new opportunities for threat actors to execute damaging and disruptive campaigns.
The New Security Normal Of M&A
Mergers and acquisitions have been on the rise for years, and 2024 is no different. Just the first quarter of this year reported 36% growth compared to the same time last year. While these deals can lead to great business ventures, the not-so-glamorous side of M&A is the adoption of new risk that comes with combining with a different company—because when you acquire a new company, you also acquire its risk and vulnerabilities, cyber included.
Take the attack on Change Healthcare earlier this year, for example. Change Healthcare was acquired by UnitedHealthcare back in October of 2022, and in February of 2024, Notorious ALPHV/BlackCat group targeted the company’s post-acquisition vulnerabilities and exploited Change Healthcare’s lack of multifactor authentication (MFA) on all systems.
The fallout from this attack was monumental, with an estimated third of Americans having their sensitive health information leaked to the dark web—information that was exposed to new risk because of the acquisition.
A similar example is the Marriott data breach back in 2018. After they acquired Starwood, Marriott used the IT infrastructure that it inherited from this acquisition without knowing it had been breached by hackers, resulting in an estimated 339 million guest records affected, including passport details. By acquiring Starwood, they also acquired their risk and ultimately paid the price for it.
Both of these incidents demonstrated that when cyber risk is not evaluated as a business-critical issue in M&A, there can be catastrophic consequences. Going one step further, these examples highlight the clear gaps that exist in how organizations evaluate cyber risk as part of the M&A process. Too often, cybersecurity is seen as an afterthought or just a box to check, when it should be an integral part of the deal-making process. This means moving beyond static, surface-level self-reporting on the company’s overall security posture and building security strategies that are designed to mitigate loss from risk that is shared across multiple organizations.
The Gaps That Technological Consolidation Leaves Behind
Across our customer base, we saw more than one-third of claims since January 2023 as related to vendor failure of some kind—whether that be a data breach, ransomware attack or error-driven outages. Rather than go after the company itself, it seems threat actors are targeting third-party software companies and creating a domino effect across a slew of other companies and industries.
The recent multi-million dollar hack on CDK is a prime example. CDK’s software is used by 15,000 dealerships in North America, managing everything from vehicle acquisitions to sales to financing to maintenance. In June of this year, CDK was infected by ransomware, causing many of its systems to go offline. While the incident might seem contained to CDK at first, it had a widespread impact. Car dealerships all around the United States were unable to access dealer management systems, automakers were unable to track sales and inventory through their dealer networks and customers were unable to complete purchases.
In attacking just one entity, the hackers were able to affect dealerships, automakers and customers—making the incident much more disruptive.
I don’t expect these kinds of attacks to cease anytime soon. Over the past decade, businesses have become even more interconnected, meaning their security also relies on the security of those partners that they’re connected to. However, today’s risk practices have not seen the same advancement.
Building Resilience
Crowdstrike revealed an important piece of today’s digital resiliency in that consolidation is creating new challenges for maintaining business continuity and preventing loss. But it’s not a lost cause. In taking a more meticulous approach to M&A, partnerships and similar business activities—like deeply scrutinizing these deals for emerging vulnerabilities—businesses can cut down the threat of shared risk and ultimately stay resilient to material losses and business disruption.
A good starting point is to focus on the fundamentals of strong cyber hygiene: maintaining backups of your data and systems, adopting multifactor authentication and understanding employee security awareness and training. These types of business deals can expose new vulnerabilities in an organization’s security posture, but having a solid backup system for the data and servers can help mitigate any disruption.
Beyond this, partners should ask about their individual security practices and employee training. Do both organizations use multifactor authentication (MFA) to secure their systems? What policies and training do individual employees undergo to mitigate security threats? More often than expected, we find that lapses in the basics of cybersecurity are compromised and lead to business disruption rather than a flashy new threat or security exploit.
Conclusion
ChangeHealthcare and CDK aren’t the only incidents that were the result of consolidation, and they certainly won’t be the last. However, if we make a more concerted effort to shore up our defenses against these risks, we can make meaningful improvements across our industry and improve our strength in the face of these new challenges.
Check back in for my next article, in which I’ll dive deeper into more specific practices for shoring up cyber risk in the face of this digital interdependence and consolidation.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here
