October 3, 2019

Buying or selling a construction business? Ask these 7 cybersecurity questions first

Reber

If you're contemplating or preparing your construction firm for a merger or acquisition, cybersecurity should be among your top concerns, ranking on par with legal and financial considerations.

With such high value associated with these transactions, unknown cybersecurity vulnerabilities could jeopardize the outcome.

Below are important questions to consider as a construction business owner, whether on the buy or sell side, before entering M&As.

1. Is it common to find security challenges or breaches during due diligence?

Absolutely. Without any information security digital due diligence, companies can discover woefully inadequate security protecting their potentially new assets. Some buyers have even uncovered previously unknown breaches of the acquired firm, with repercussions for which they may be liable.

It's important for the buying company to address security as part of due diligence. This can help avoid potential financial consequences that weren't taken into consideration when negotiating the original acquisition price.

2. Where do you typically find issues?

They're typically found in software, infrastructure and security control mechanisms.

Historically, attackers have typically exploited weaknesses in perimeter security devices such as firewalls and routers. These methods still happen frequently, but in 2017, website application source code security issues overtook network security vulnerabilities as the top attack vector, according to the Verizon Data Breach Incident Report.

It's an easier target for hackers because network or perimeter security measures are usually more mature than software security measures. These security vulnerabilities often exist in the actual source code of a company's internet applications or software packages that the buyer intends to acquire.

Sellers also need to be concerned about unknown security problems. Vulnerabilities discovered on their end could reduce or delay payments until the depth of the problems are understood and vetted.

In general, a breach can be incredibly damaging to a business and result in direct financial theft, loss of customers' personal information, stolen intellectual property and endless lawsuits.

3. What else should you consider when buying a software company or product?

The most important element is to assess vulnerabilities at the source code level. If your transaction is just a product sale, the security of the company infrastructure may not be of high interest.

Here's the process:

• Map the attack surface of the target applications

• Analyze how security is handled at data ingress and egress points

• Test authentication and authorization components that provide log in and the scope of permitted access, calls to databases, and data collection fields

• Discover known software vulnerabilities

• Confirm that data is encrypted when in transit and at rest

Automated tools can quickly scan the software and typically identify about half the types of vulnerabilities that may be present. To get a comprehensive understanding of the security footprint of your website or application, combine the automated scan with a manual inspection of the source code. This can help identify additional security issues within the source code.

A business logic assessment can also help discover built-in vulnerabilities that aren't coding vulnerabilities per se, but still present risks due to as-designed application logic flaws.

4. Is there a foundational approach when buying a company?

Definitely. A defined security program is a must at any company, and when appropriately created, demonstrates how it supports the company's needs.

Request a review of the security program to understand how thoroughly your target company worked to secure its assets. Here are the items to request and assess:

• Data classification schema that drives data handling policies and procedures

• Security assessment results that may be available

• Incident response procedures and recent test results

• User awareness efforts, especially as they relate to suspicious emails

• Security organization and coordination of functional responsibilities

If a company operates within a compliance framework, it should be accustomed to providing security compliance reports. Examples of compliance frameworks include the General Data Protection Regulation, Health Insurance Portability and Accountability Act, and Payment Card Industry Data Security Standards.

5. What if you're buying a company that comes with IT infrastructure?

The IT infrastructure should be assessed as well. Networks and IT infrastructure are often the main targets for culprits attempting to infiltrate a company to steal information. At a minimum, automated tools should be used to perform a scan of networks, both internal and external, to identify vulnerabilities.

As with source code scanning, if these automated scans expose lax security within the target network, you may want to seek the services of security advisors who can perform a deeper dive. An advisor can help review firewall and server configurations and also look at the network architecture and its design to compare it to best security practices.

6. What does a worse-case scenario look like if the infrastructure is breached?

The 2014 breach of Target is a telling example.

The retailer's heating, ventilation and air-conditioning vendor was hacked. The vendor essentially had a trusted internet connection directly into the Target network. These environmental control functions could have been isolated separately within the network. Instead, inadequate segmentation in the Target network architecture allowed the culprits to gain access to the entire network. This breach resulted in nearly $300 million in damages.

7. Should you look at cybersecurity as a distinct issue or with a more holistic approach?

A holistic approach to cybersecurity can help any company overall. There's added value when cybersecurity professionals have expertise across all aspects of information security: source code and website, infrastructure, and programmatic security. By having all these areas examined and secured simultaneously, you can move forward with a deal feeling confident that the necessary precautions have been taken.

Source code security is emerging as a hotspot for hackers, so those professionals in particular should have backgrounds in software development to understand how processes work. This allows them to home in on vulnerabilities in the source code, determine how much risk they present to the company, and the level of effort needed to remediate them and then communicate with application developers.

While automated tools are useful, an advisor's analysis can help reduce any false positive security issues that tools call out, as well as find vulnerabilities and vet them against real-world risk.

Greg Reber is a partner of cybersecurity consulting services at Moss Adams in San Francisco.

Previous columns:

• Stantec 'trains' rivers to protect oil flowing in the trans-Alaska pipeline, 09-26-2019
• How a big-time project consultant learned to buff up its communication skills and connect with clients, 09-19-2019
• Tree Farm building in Portland brought arborist on board with the design team, 09-12-2019
• Pentagon defers 127 building projects to construct 175 miles of Trump's border wall, 09-05-2019
• Crews will use buckling restrained braces to build Hedreen's Seattle hotel faster, 08-29-2019
• Here's why the county's $242M justice center project has so many apprentices working on it, 08-22-2019
• Long-awaited condo reform kicks in; here's what developers need to know, 08-15-2019
• Chehalis-based Pacific Mobile expands its trailer business on the West Coast, 08-08-2019