Navigate mergers and acquisitions with CASM
Home » Navigate mergers and acquisitions with CASM
The value of your attack surface may go down as well as up
Executive leadership teams aren’t the only ones keenly aware that a merger or acquisition marks a vulnerable period. Attackers understand that times of change open fresh opportunities—not just to exploit transitional challenges in ERP systems or payroll but to actively capitalise on new financial realities—-from manipulating stock prices via reputation damage to zeroing in on a target’s hypothetically more lucrative ransomware payout.
Unfortunately, standard M&A security best practice offers only a static point-in-time indication of hypothetical risks, rather than a live view of current exposure. Compliance due diligence and an IT network evaluation may satisfy a risk manager but once off checks are irrelevant to would-be attackers who know that mergers and acquisitions are periods where opportunities to conduct ongoing exploitation are more likely to surface.
Here CASM has a distinct edge on static risk management strategies. As a team of ethical hackers who understand how to exploit an M&A at a technical level, CASM actively discovers and monitors your new ‘attack surface’ as it changes. As compared to penetration testing, for instance, which offers a ‘deep and narrow’ indication of risk, the ‘shallow and wide’ oversight of CASM spans an organisation (and its partners) entire attack surface, making it invaluable during M&As.
A single ‘source of truth’ for compliance during turbulent times is a relief. The CASM dashboard enables real-time reporting that makes compliance easy and with flexible reporting metrics, tailored to align with sector specific standards as required.
Gaining visibility and control
Discovering the total ‘attack surface’ of the prospective M&A organisation is the first step.
Before any paperwork is signed, standard IT network evaluation or vulnerability management reviews should be conducted, as well as an in-depth discovery phase that goes beyond automated methods that typically fail to fully uncover obscured ‘shadow IT’.
You need to be able to confidently answer the following questions:
- How much do we know about our external posture?
- What does the external posture look like to a would-be attacker?
- What are the core technologies relied upon and where are they?
- Are any of our prospective M/A companies affected by the latest critical zero-days vulnerabilities and if so, where?
- Are appropriate defences and controls in place to prevent documented business risks being realised?
- How could/do third parties influence and affect the security posture of our organisation after the M/A?
Remember that acquisition candidates typically seek to be sold at the highest value, increasing the likelihood that security issues have been swept under the rug. Expert-led discovery is required to uncover obscured leaks or security risks that attackers will seek to leverage which could significantly impact your investment.
Once acquired, imagine the common scenario where a new acquisition with high growth potential has been overspending and underperforming. Your logical next move will likely be stripping out anything you don’t need—including employees, processes and technologies—to stimulate growth. A pragmatic financial strategy, sure, but it leaves employees feeling insecure and the day-to-day processes they follow significantly disrupted.
Most concerning of all from a security perspective is the lack of control over key technologies that must be continually monitored to prevent a cyber incident – a task which has likely been interrupted or discontinued completely.
CASM in practice
We start by discovering all technologies that must be transferred or decommissioned safely by the IT team.
This may span data centres, servers, network systems, or merging communications systems such as email servers or messaging platforms which are inherently risky activities even if implemented without obvious complications. Having a team of offensive security experts to guide and continuously monitor your organisation from an external perspective is invaluable given the elevated risk of data loss and exposure.
Let’s take just two specific risk scenarios to illustrate how CASM would manage risk:
Third-party Cloud platforms
The acquired company may use cloud platforms like Slack, Teams or Confluence (a list that is likely growing substantially) that may no longer be needed.
Improper decommissioning or lack of integration with the new IT environment can leave residual vulnerabilities, such as exposed data or inactive user accounts that attackers could exploit.
How CASM provides proactive assurance:
- Comprehensive asset discovery – CASM will continuously identify and compile an inventory of all third-party cloud services associated with the organisation, including those that may be unaccounted for in traditional audits. This ensures visibility into all platforms, even those that the IT team might not be aware of.
- Usage monitoring – CASM tracks the usage of third-party cloud services in real-time. If a service like Slack is no longer being actively used but has not been properly decommissioned, CASM will detect this and alert the security team to act, such as revoking access or properly archiving data.
- Risk assessment – If an essential platform used by an acquired company must be migrated, CASM can test if they are working as intended, detecting whether assets can be accessed anonymously and that new security configurations and policies are effective. For instance, ensuring that data encryption standards, access controls, or logging practices meet the acquiring company’s security policies. This can be conducted in collaboration with the defensive security team (e.g a SOC or MDR), CASM can recommend adjustments or integration changes from an external offensive vantage point to maximise coverage.
- Decommissioning guidance – When retiring a third-party platform, CASM can provide a checklist to ensure that all necessary steps are taken—such as removing user accounts, transferring critical data securely, and closing potential security gaps left by the platform’s exit.
Financial system integration
The processes an M&A may disrupt is pretty long. Financial System Integration is one crucial aspect that CASM proactively supports.
The integration of financial systems during an M&A—such as transitioning payroll systems, accounting software, ERP systems, or banking platforms—carries significant risks. Misalignments or errors during this process can lead to financial discrepancies, unauthorised transactions, or create opportunities for fraud. Attackers are particularly keen to exploit any vulnerabilities that emerge during this transition.
Many organisations, especially during an M&A, rely on cloud-based or Software-as-a-Service (SaaS) financial systems, such as payroll platforms (e.g., ADP, Workday), accounting software (e.g., QuickBooks Online, Xero), and ERP systems (e.g., Oracle ERP Cloud, SAP S/4HANA Cloud). These systems are accessed via the internet and, if improperly configured or inadequately secured, can become vulnerable to unauthorised access.
CASM continuously monitors external facing asset and cloud services:
- Misconfigured Cloud services – Cloud services often have endpoints (APIs, admin panels, web portals) that are public-facing. If these are not properly secured with strong authentication or if their configurations are misaligned, they can be exposed to attackers. While a penetration test will deep test for such vulnerabilities and misconfigurations, CASM provides continuous external visibility to ensure that new exposures don’t appear after the pen test concludes.
- API exposure – Financial systems often integrate through APIs, which can also be publicly exposed if not securely managed. Attackers could exploit these endpoints if they’re improperly protected or discoverable via internet scanning tools.
- Web-based portals for financial systems – Many financial tools like payroll systems and accounting software have web portals that can be accessed remotely by employees and administrators. These portals, if misconfigured or if default credentials remain active during the transition, can be exposed externally.
- Weak authentication or authorisation – If these web portals use weak or default credentials, or if they lack proper user management (e.g., former employees still having access), attackers can exploit them.
- Open admin consoles – Many services expose administrative consoles to the public internet, either intentionally (for ease of management) or accidentally (due to misconfigurations), which could be entry points for attackers.
CASM is also invaluable for regulatory compliance checks. By continuously tracking and logging all changes and activities within financial systems, CASM helps maintain an audit trail that can be crucial during regulatory reviews or internal audits.
Managing DNS records
During an M&A, DNS records from the acquired company must be transferred to the acquiring company’s control, as obsolete DNS records are not deleted or updated, leaving legacy systems or domains vulnerable to exploitation.
The CASM team support secure transition by conducting:
- Continuous discovery – JUMPSEC’s CASM team will continuously scan the organisation’s entire digital footprint, including DNS records to identify all active, inactive, or stale DNS entries, helping teams recognise which records need to be updated, deleted, or further investigated. CASM flags misconfigured or abandoned DNS entries, such as those pointing to decommissioned servers or IP addresses that no longer belong to the company. By monitoring DNS changes in real-time, CASM ensures that such issues are quickly identified and resolved.
- Alerting on shadow IT – CASM identifies DNS entries associated with ‘shadow IT’ assets—systems or domains that may not be fully documented or managed, ensuring they are not overlooked during the transfer process.
- Change monitoring – After DNS records are transferred, CASM continuously monitors for unauthorised changes. For example, if an old DNS record is reactivated or redirected maliciously, the CASM platform triggers alerts for immediate investigation.
Reducing human error
Employees and their sensitive information undergo substantial changes during M&As. Let’s look at how CASM manages two:
- Leaked credentials – Sure you can disable all the email and Single Sign Ons to a box, but you need to understand what credentials have been leaked in the past. A potential acquisition will seek to be sold at the highest value, increasing the likelihood that security issues have been swept under the carpet. Leaks or security risks may be obscured. Scenario: You buy the company, they have been hacked and info leaked on the dark web, you’ve enabled attackers (third party) attacked.
- Insider threats – It is a misconception that all insider threats are malicious individuals who consciously seek to harm their organisations. Yes, disgruntled employees have been known to damage their soon-to-be former employer out of spite (and an M&A could provide such a scenario) but insiders with no malicious intent can be equally dangerous. Attackers will attempt to use M&As as a pretext to manipulate employees and, if adequate open-source information is available online, attacker’s pretexts can be highly persuasive.
Where CASM supports business
Meet strict regulatory requirements – CASM demonstrates an advanced level of risk mitigation to stringent financial regulations and data protection laws, mitigating the risk of legal and financial penalties, as well as reputational damage.
Client trust and confidence – Cyber security incidents substantially erode client trust and confidence. CASM enables organisations to continuously discover, swiftly mitigate and, where appropriate, inform clients or partners of a cyber incident, meaning trust is not lost but rather strengthened progressively over time.
Integrity of financial data – Ensuring the accuracy and integrity of financial data is crucial for organisations, particularly frequent investor firms well accustomed to M&As. Cyber-attacks that alter or corrupt data can hinder investment decisions, cause financial losses, and regulatory issues.
High-value targets – Navigating an M&A, particularly one of high value, essentially marks a target on any organisations observably interconnected. Cumulatively, the organisations involved likely possess extensive financial data, client information, and investment strategy information, making them a lucrative target for financially motivated cyber criminals seeking to conduct data theft, fraud, or ransomware extortion.
Sean Moran
Sean is a cyber security researcher and writer with a particular interest in the impact of geopolitics and ransomware extortion within the cyber security industry.