Anyone who’s ever been in a relationship knows that the beginnings and ends are the toughest parts. This is when the baggage is dusted off, brought to light and (all too frequently) used detrimentally.
Mergers and acquisitions — and their mirror image, divestments — are the organizational equivalents of marriage and divorce. During the process, past indiscretions are discovered, leveraged in negotiations and ideally rectified or laid to rest. This process is known as due diligence, and it’s based on well-known and proven financial and business processes, best practices and playbooks. If the due diligence process is successful, there are no surprises.
However, with the technology landscape evolving faster than ever, these best practices and playbooks are quickly becoming outdated. This means that unwelcome surprises are more and more frequent during M&A and divestment. Why? There’s baggage that is slipping through the due diligence cracks, coming to light at the worst possible times and, unfortunately, causing tangible damage to involved parties. I’m referring to baggage from the digital supply chain. Let’s call it digital baggage.
What Is Digital Baggage?
Digital baggage is the leftovers of past connections in an organization’s digital supply chain. These connections can be direct — like those between an enterprise and its cloud provider or DNS servers — and they can also be with parties further downstream (we call them Nth-degree parties). These are the providers of providers of providers — and this long-tail of liability is what’s making things so much more complex.
The core issue is that the digital supply chain is a relatively new frontier. In recent years, enterprises, SMBs and almost everyone else transitioned significant portions of their infrastructure, core digital business processes and even day-to-day operations to third parties. Yet these parties have their own digital supply chain, having undergone similar digital transitions. This compounds the length and complicates the intersections of any supply chain. The picture is so complex that one colleague of mine began referring to it as digital supply chain spaghetti — along the lines of what programmers call spaghetti code.
And when untangling digital supply chain spaghetti — just like when untangling relationship intricacies — it’s incredible the things you discover: connections you never knew you had; connections you thought were history; vulnerabilities you never even considered. This is the essence of digital baggage. And it’s taking a steep toll on companies in transition.
What You Don’t Know Can Hurt You
Last year, one of our customers began an M&A process. The due diligence and acquisition strategy looked great. And then…an intrepid IT exec requested that we scan the acquisition target’s digital supply chain. We found — as we frequently do — some 30% more assets than our client, and the acquisition target itself, were even aware of. And this number is not anomalous: We frequently discover up to 100% more assets connected to our customers through our attack surface discovery tool. These are digital baggage wow moments. Because in IT, as in life, what you don’t know can hurt you.
In security lingo, digital baggage is a vulnerable, often unmapped external attack surface. As in the example above, it’s frequently inherited during M&A, and often remains in place after a divestiture — even if the separation was thoroughly completed on the infrastructure level. Even for divested entities that have been sold or spun-off in the distant past, and considered completely severed from the divesting entity, we often find assets that continue to exist yet are not actively administered, maintained or governed by the organizational security teams.
What Can be Done?
Whether your organization is a serial acquirer or planning a one-off merger, acquisition or divestment, you can’t afford to ignore digital baggage, because it will eventually not ignore you, either. Inherited digital baggage is potentially an inherited liability — and no one goes into M&A looking to acquire liability.
To lower the risk, it’s crucial to gain full visibility into your existing external attack surface. Adopt tools that can thoroughly inventory your own environments, including visibility into your 3rd, 4th and Nth degree suppliers. Once you’re comfortable that your own external attack surface is fortified, thoroughly explore that of the company you’re acquiring or divesting.
For M&A, this attack surface reduction process needs to happen prior to integrating the acquired entity so you can optimize the security posture potential of the two infrastructures together. In many cases, you’ll also find areas that can be eliminated rather than duplicated — streamlining integration and conserving resources. For divestiture, it should happen before the final handshake, too — to ensure that the separation is not only legally but also technically sound.
Despite the best due diligence efforts, almost every merger, acquisition or divestiture will come with some surprises. The first step to ensuring that digital baggage is not among these is to understand the existence and extent of the challenge.