Don't Risk Your M&A Deal By Leaving Cybersecurity To The IT Department

Although cyberattacks have yet to make the usual lists of M&A deal killers, it's only a matter of time before they do.

Wake in fright

As the business owner, there will be no joy for you at the end of an arduous well-executed exit path if, at the 11th hour, you wake up to be told that Russian hackers have encrypted all your systems and users are locked out. Unfortunately, this type of hack happened to Maersk in June 2017.

Here's the stark reality - if you need to figure out what to do when you get that dreaded call, then the hackers have won, your M&A is blown, and the future value of your business hangs in the balance.?

Maersk spent more than?$300m?recovering from the cryptoworm attack. They scrapped all equipment used before the attack and installed 4,000 new servers. In reality, they could only recover without paying a ransom because a power cut in Nigeria's capital city cut the network connection to the local Maersk system and was not infected.?

It's time to make cyber security one of the highest governance priorities of your long-term exit plan. And even higher when you enter the short game and deals are being structured with qualified buyers.

After all, at this late stage of your exit journey, you should be very confident that your financials won't take a hit, nor your significant contracts. But unfortunately, cyber risks are not so predictable.

Owners must add cybersecurity to their neo-generalist skill set

You need to be confident that your business is resilient right through your exit path to the first day after being acquired so that you and your staff are protected.

Cyber security has become another skill that owners must add to their neo-generalist skill set so that they can understand its context, nuances and how to protect the worth of the business best. Therefore, more than hiring a domain expert and having them report at quarterly meetings is required.

I had some experience delving into this domain myself when recruited by BHP many years ago to set up the company-wide information system audit and control capability from scratch. That was a fascinating 3 years.?

How do owners of small and medium sized business set up cybersecurity governance?

These days my focus is on owners of B2B companies with between $10m and $100m in sales, especially technical organisations, e.g. engineering, IT, telecoms, manufacturing, and construction.

How can these owners best exercise due oversight of cyber security during their exit path to being acquired by a strategic buyer?

Just because you're a small business doesn't mean you won't be a target for cyberattacks.??

• 54% of smaller businesses think they're too small for a cyberattack, but...
• 43% of all cyber security threats target smaller businesses.
• 47% of smaller firms say they have no understanding of how to protect themselves against cyberattacks, and,
• 83% of smaller firms have not put cash aside for dealing with a cyberattack.
• 60% of victims actually go out of business within 6 months of an attack.

In other words, your legacy may not survive a cyber attack.

And if you do survive one, prepare for real damage — small businesses in the US spent an average of US$955,000 per attack to restore normal operations.

Four essential elements of cybersecurity to protect your M&A deal

It's not just about having ISO27001 compliance; that's just a ticket to the ballgame.

To protect your assets you need to go deeper. I suggest that paying attention to four key aspects of managing your cybersecurity risks will yield the best dividends:

1. Context - top down alignment of your security plan.
2. Leadership - if people are not clear where you stand then they will guess the outcome you want. This can have disastrous consequences for cybersecurity.
3. Solution options - understanding the details, as a neo-generalist business owner.
4. Governance - the Board-level approach to managing cyber security policy and cyber security threats.

Context: Your information security plan aligns with your business strategy

As an owner, you must align your information security plan with your overall business strategy and objectives and take into account your risk appetite.

To be most effective, you should consider both internal and external contexts - as you do for your 5-year forward business plan.

The internal context consists of your business purpose, structure, processes, and culture. In contrast, the external context includes political, economic, social, technological, legal, and regulatory factors, e.g. fines for cyber security breaches.?

Leadership: Helping people understand how they fit into the big picture

As an owner, you want to demonstrate that you understand the importance of effective information security and the need to?implement it consistently?across the organisation. Everyone needs to know that this is not just for IT.

Without your attention and proper communication, you'll spend more time and money and get a less effective outcome. After all, information security isn't just about protecting data; it's also about managing risk, ensuring compliance, and preventing fraud.

An often overlooked aspect is how much effort needs to be put into helping people understand how each of them fits into the overall picture and what they need to do to help protect themselves and the company.

You need to communicate this message to your leadership team and for them to do the same down the line. This effort requires them to lead by example and engage others in supporting the implementation. This way, you're telling everyone precisely where they stand.

If certain types of activity are prohibited, let them know why and the consequences of non-compliance. Show that you're serious about implementing information security throughout the organisation, at home, and when working at a customer's site.

Cyber security solutions: At the Neo-generalised level of deep diving

In my view, one key concept is most important for owners to understand to make an informed choice about security solutions. It is the difference between static protection at the edge of your network and network activity-based solutions that detect unusual behaviour within your network.

Static solutions focus on the domain name system (DNS), which acts as the "phone book" of the internet. It is the first point at which a connection is made and often the first place where threats attempt to infiltrate.

Not only is DNS-layer security robust, but it's also the easiest and fastest way to protect your small business. This type of security can deliver visibility and security — across every location, user, and device — on all their devices, no matter where they're working — including roaming laptops, Android, and iOS devices — without impacting performance.

91% of malware uses DNS to gain command and control, exfiltrate data, or redirect web traffic.

However, hackers live and breathe how to bypass DNS-layer security. Although rarely, stuff gets through. Typically, malicious code then lies dormant within the firewall. When this code is triggered can spread explosively. Most of Maersk's global IT system was encrypted and taken off the air within a few minutes.

Catching this kind of threat is where dynamic activity-based solutions emerge. These solutions monitor internal information flows, identify suspicious patterns in the data - such as a malware payload lighting up - and typically use AI-based threat management, including instant isolation of infected nodes.

Your experts should develop a business case for each type of solution based on the Context (above) and the other technical safeguards planned for deployment, e.g. secure web gateways or firewall-as-a-service (FWaaS) capabilities.

In short, as an owner, you should make it your business to be able to discuss the security architecture at the highest level and understand the trade-offs and risks.

Governance: Run cyber security as a Board-level issue, even if you don’t have a Board

When you are on an exit path, you need to have a "Board Governance" approach to managing cyber security policy and cyber security threats, even if you do not have a formal governing Board. These governance practices should include the following:

1. Establishing a Board-level cyber security committee.

2. Incorporating cyber security into the owner's and company's risk management processes, including the business continuity plan and security policy.

3. Receiving regular updates on the business's cyber security posture.

4. Having a clear plan for responding to a cyber security incident, which is regularly tested, e.g. what will your response be to a ransomware attack?

4. Adopting a policy on acceptable use of company resources.

5. Providing adequate resources to support the desired cyber security program.

6. Regularly reviewing cyber security performance; and appropriate insurance coverage.

By implementing these best practices, as an owner, you can gain the necessary oversight to ensure that your organisation is taking steps to protect your investment in the business.

In our Proactive Exit Methodology the path to resilient cybersecurity is addressed as part of how digital assets are leveraged, and as part of due diligence (above).

Takeaway

Cyber attacks are a severe threat to companies that are in the midst of an M&A transaction. They can be costly, damage reputations, distract all parties, and ultimately kill the deal. Therefore, if you are involved in an M&A transaction, taking preventative steps well ahead of time is crucial.

A cyberattack can be a deal killer for several reasons.

Firstly, they can be incredibly costly to clean up. Not only do you have to deal with the immediate damage, but you also have to take steps to prevent future attacks. This cost can be a substantial financial burden and hit the bottom line hard.

Secondly, if your company is a cyber threat or attack victim, you must disclose the incident to potential buyers. But, again, this could scare off potential buyers or, at the very least, significantly reduce the company's value.

Thirdly, a cyberattack can damage your company's reputation, which is essential for a successful M&A transaction. A damaged reputation can lead to losing customers, making the company less attractive to potential buyers.

Finally, a cyberattack can result in the loss of essential data, making it difficult for your business to continue operating with trust.

Unfortunately, these types of attacks are becoming more and more common, and they can have a devastating effect on a deal, so prepare well ahead as part of your exit path plan.

//

This Week's Reading

Two articles from my reading list to help you grow and exit successfully.

Article 1: CEOs enabling CISOs

Even though ICT security has become an essential factor for the resilience of all organisations, most CISOs still need to make it to the boardroom. And their relationship with the board is complex.

Next to formal processes and procedures, governance has become very dependent on?expectations and, therefore,?expectations-management.?

The expectations of those in governance positions are managed, in many ways, by those who report to them and those responsible for designing and implementing the processes and procedures.

Things tend to go wrong when security and privacy come into play. Expectations in this field often need to be better aligned.

"I've noticed that the board or the CISO realise at some point in time that the expectations resulting from simply hiring a CISO do not make all cyber challenges disappear", says the author.

This is especially true when the responsibility for ICT security governance is not explicitly assigned to a specific member of the board. This situation leaves the CISO floating around in the organisation on a kind of 'best effort' bases.

The author lays out ten "commandments for Board Members" to effectively enable their CISO.

Source: ISACA Netherlands Chapter

Article 2: Google CEO Sundar Pichai Calls for Government Action on Cybersecurity, Innovation

In the wake of Russia's war on Ukraine and the dramatic rise in cyberattacks attributed to China and Russia, it's timely to recall what Sundar Pichai, Chief Executive Officer of Google, proposed a few years ago.

Mr. Pichai said the debate around cybersecurity is too focused on individual companies and nations rather than the broader issue of how to secure information online.?

He said the time had come to draft the equivalent of a Geneva Convention for technology to outline international legal standards for an increasingly connected world.

"Governments on a multilateral basis…need to put it up higher on the agenda. If not, you're going to see more of it because countries would resort to those things."

Prescient and a missed opportunity.

Source:?wsj.com

//

This Week's 3 Business Books

Free for you as a subscriber to my newsletter: Three of the world's most essential and popular business books in acclaimed 12-minute videos. Listen, or watch and listen to take advantage of another big idea.

Book 1:?Predictable Revenue by Aaron Ross (watch on Monday-Tuesday)

This book contains the exact sales process Aaron Ross used to grow the outbound sales process at Salesforce.com from $0 to over $100 million in annual revenue in less than three years.

The book is an excellent place to start if you need to generate more revenue, starting right now.

Watch or listen to Book 1

Book 2:?Exponential Organizations by Salim Ismail (watch on Wednesday-Thursday)

Salim Ismail wrote the book Exponential Organizations to teach us how the thinking in companies whose impact is 10x larger than their peers differs from most others.?

Ismail provides readers with a framework for thinking about business differently. In addition, he offers practical advice on how companies can shift to an exponential mindset.

The book is a must-read for anyone interested in staying ahead of the curve in the business world.

Watch or listen to Book 2

Book 3:?Grit by Angela Duckworth (watch on Friday-Sunday)

Grit is a book about the importance of passion and perseverance. Duckworth argues that grit is the key to success in any field and is more important than IQ or talent.

Duckworth's message is that starting your day with intention can change your life. She provides research and stories to support this claim and a step-by-step guide to help readers create their Miracle Morning routine. This book is perfect for anyone seeking to change their lives and create more happiness, success, and fulfilment.

Watch or listen to Book 3

Did you enjoy this newsletter? Post it on your timeline, so your connections can enjoy it too.?

Subscribe above, comment below, and message me with questions.

Email me at [email protected]

? Previous Newsletter:?The Most Underrated Skill In Preparing To Sell Your Business

? Next Newsletter: Understanding the Force Multiplier Effect of Employee Cost Savings When On An Exit Path

Keep winning, Walter

P.S.?If you know you’re ready… it might be time to explore my?Proactive Exit Mastery?model , to see how you might capture the ultimate exit value for your business.?If you'd like to know a bit more, just message me or comment below with "Ultimate Exit Value".