It’s a fact perhaps not so widely known that 40% of acquiring companies going through an M&A discovered a cybersecurity problem during the post-acquisition integration. What this would indicate is that acquirers aren’t being given the right information about the data security in the company they are buying. That’s pretty shocking considering the level of due diligence required in the M&A process.
So why is this happening?
We know from our experience helping companies discover their data, that approximately 85% of it is unstructured or ‘dark’ data comprised of documents, spreadsheets and information often downloaded from structured databases and shared and stored in email inboxes, Word documents, Excel spreadsheets and cloud storage drives in the course of everyday working.
We also know from our customers that a typical organisation’s unstructured information contains:
- 42% confidential information
- 1% sensitive personal information
- 9% personally identifiable information
The security threat in dark data
The major risk of dark data is the security threats it poses. Dark or unstructured data is the point of weakness in any organisation leaving the business vulnerable and exposed. Because it is hidden, it can’t be secured.
It can include data such as plaintext passwords stored in word documents, PKI certificates sitting in email inboxes, and Personally Identifiable Information (PII) without password protection and it’s this that the traditional M&A process is failing to find
Indeed, this is exactly the kind of data stolen in Marriott Hotels’ catastrophic data breach from 2018 which is back in the news as they face a class action litigation from one customer on behalf of the 30 million affected. What’s fascinating about this story is that during its acquisition of Starwood Hotels in 2016 Marriott did not find the 5 million passport numbers that were unencrypted or the 8 million encrypted credit card details that were stored alongside the encryption keys on the same server and that were breached two years later. How could they have found these if they didn’t have the tools to do so during the due diligence process?
The problem is that data security due diligence is often performed by lawyers or due diligence experts who might not have a deep level of cybersecurity expertise. But the bigger problem lies in the fact that it is often a manual process, using a routine set of questions. And what’s needed is automated data discovery at scale.
Data discovery – a new approach to due diligence
Our recent research shows that 77% of IT professionals are concerned about personally identifiable information (PII) that’s hidden within their organisation’s data estate and which they therefore can’t find or protect. So it’s perhaps unsurprising that research from Deloitte shows 70% of organisations say that the protection of data assets in a company they are acquiring is more of a concern now than it was a year ago.
The first step to achieving peace of mind in an M&A deal is to gain visibility of data at scale.
Specialist data discovery tools are available that can reveal exactly what sits in a data estate at huge scale across structured and unstructured databases, whether that data is held on-premise or in the cloud and whether it is known about or dark. Once an organisation knows what data they’re acquiring or merging with, they can at least take action to secure it. Without first understanding what exists within the data, or how it’s protected, many organisations will only find out after it’s too late.
For example, we have a customer in financial services using Exonar to discover and index a data estate of 160TB or more. They acquire businesses from time to time, but are starting with identifying what data they have themselves and where it is, so the information can be secured in a regulatory and contractually compliant way. A good start for any deal.
The importance of data in M&A deals must not be underestimated because you can’t secure what you cannot see – making data discovery a vital step for businesses looking to acquire or merge with other organisations. Those that don’t discover and understand their dark or unstructured data, are potentially missing 85% of what they need to protect when the deal is done.
We must take a new approach to due diligence if businesses going through M&A want to avoid becoming the next negative news story because they discovered a hidden data security problem post-merger.
Contributed by Gareth Tranter, head of customer satisfaction, Exonar