Cyber Due Diligence: How and Why Investors—and the Companies They Are Targeting—Should Assess Their Cyberrisks

Alan Brill , Jason Straight


October 1, 2013


Recognition of the dangers related to computer intrusions—which rose to a level that was significant enough for President Obama to discuss the issue in his 2013 State of the Union address to Congress—is an acknowledgment long overdue. Hacking is not just affecting mega-businesses like Facebook and Google, but smaller enterprises as well. According to Rep. Christopher Collins (R-N.Y.), who spoke at a meeting of the House Small Business Subcommittee on Health and Technology in mid-March, it is estimated that 20% of cyberattacks target small business. The result of these attacks is so devastating in terms of cost and impact on the business that almost 60% of small and medium businesses hit by cybercriminals shut their doors within six months of the attack.

For potential investors in early- or mid-stage companies, the incredible rise in reports of successful hacking attacks has led to a realization that the intellectual property they are considering investing in can be copied or destroyed more easily than they may have thought. In fact, for many technology firms, virtually their entire value is in the form of intellectual property. It may be anything from the design of a new energy production system to revolutionary hardware to a better software solution for a complex problem. But if that intellectual property is exposed, what is left in terms of value for the investors? Moreover, for companies that rely on web-based services and customer interactions, even if intellectual property can be protected, how vulnerable is the company to a well-timed denial-of-service attack launched by an overseas rival that could irritate potential customers and undermine a company’s credibility during a critical phase of development?

To control this risk, it has become critical for investors—and the companies they are targeting—to add a cyber element to the due diligence process.

The Usual Suspects
If you are investing in intellectual property, the reality is that the organization’s value may be determined by the effectiveness of security over that intellectual property. But how often is that security challenged as part of pre-investment due diligence? Intellectual property, particularly in start-up organizations that are laser-focused on their technology—or whatever the intellectual property represents—may be at more risk than anyone realizes.

While reports of state-sponsored hacking and the exploits of “hacktivist” groups like Anonymous are in the news, most organizations are not targeted by these groups. Hacking generally does not involve the use of so-called “zero day” vulnerabilities that no one has ever seen before. It does not involve incredibly sophisticated methods. The “usual suspects” are not brilliant hackers and foreign governments with virtually unlimited resources. The reality is much more mundane.

The largest number of incidents can be attributed to people with inside knowledge and authorized access to company systems. Whether it is a disgruntled employee with some real or imagined grievance, an employee who realizes that criminals are willing to purchase intellectual property as basic as customer lists, account details, stored credit card information or R&D data, or even someone planted in your company as an employee, contractor or vendor, someone who already has access to your intellectual property is a primary danger—just ask the NSA. If appropriate background checks are not done and systems are not monitored for unusual activity, a major data leakage can ensue.
Unique Vulnerabilities Create New Reasons for Concern

In working with technology-sector companies, particularly those in early stages of development, Kroll Advisory Solutions found that the intellectual property protection concerns of potential investors are well founded. Consider these examples of unique vulnerabilities:

A start-up software firm discovered that, over a weekend, there was a break-in at their offices (which had almost no security of any kind) and the servers that held their development system were stolen. Daily backups that were stored in a box in the server room were also taken. While they were able to reconstruct some of the stolen property, it wasn’t long before they were out of business.

In conducting an access control review for a high-tech manufacturing company in the wake of an intellectual property leak, it was discovered that, although access to project-specific portals containing sensitive IP was well controlled and limited to members of the assigned project team, it was possible for anyone with general access to the corporate network to search, view and download documents by using the enterprise search tool on the company’s intranet. Interviews revealed that, while the IT team was cognizant—and even proud—of this search capability, the operational business leaders were unaware of this critical security flaw.

An R&D company in the energy sector had a contractor install a sophisticated security camera system. The cameras could be steered and zoomed to provide excellent coverage, and were tied into a motion detection system so that any movement visible to the camera would trigger an alarm and start a video recording without any operator intervention. The state-of-the-art technology was an important part of guarding the research lab that housed prototypes of their latest inventions. Unfortunately, when a security test was conducted, it was discovered that they had outsourced the camera system maintenance to the company that installed it. Normally, that would not have been an unreasonable decision, but the testing team showed that it was possible to reach the camera system controller from the Internet. Worse, the password on the controller had never been changed from the default setting. As a result, the testing team was able to take control of the system through a simple Internet browser connection, allowing them to control any camera, turn off the motion detectors and recorders, and wipe out existing recordings. In short, the system was probably more helpful to crooks than it was to the company.

An electronics research facility installed a security system to protect next-generation chip designs that was completely separated from the Internet, so they assumed it couldn’t be hacked. In addition, all personnel and visitors were checked by security with metal detectors and their belongings x-rayed, so no one could take anything out of the facility. But just outside of the cafeteria—which was inside the company’s security perimeter—a mailbox could be used to put anything into the public postal system without inspection. Even more alarming, it was discovered that anyone could bypass security and access the design database by using a smartphone’s WiFi hotspot to connect a company laptop.

Unpatched software is another issue. Given a choice, hackers will use easy attack tools that are inexpensive and that have previously proven effective. One trick is to attack using a security hole that has already been patched by the software vendor. Many organizations do not have good patching rules in place, and it is not unusual to find machines that are months or years behind in applying patches. Obviously, any security patch that is not applied gives hackers a potential foothold into your system. Unless there is a specific reason (for example, having to connect to an old system that won’t run with a new patch), keeping up-to-date with security patches from software vendors is an effective way of shutting down this too-often successful way of breaching your defenses.

Hackers have also learned to attack features of servers and workstations that are left at the manufacturer’s default settings. Strong security often requires that some of these defaults be changed to provide a higher level of control. This process is known as “hardening,” and guides for most major operating systems are available from sources like the U.S. National Institute of Standards and Technology.

Other vulnerabilities are unwittingly introduced by the end users themselves. By now, you would think that employees and managers wouldn’t fall for phishing emails, but you would be wrong. Hackers have become skilled in crafting very convincing emails that appear to have come from bosses or other trusted sources. One click and you can be transported to a site where malware is fired into your computer and the company network to which you are connected. This “drive-by” malware does not require any action by the user to infect a machine—it is completely automatic once they land on the hacker’s page. Training, vigilance and knowledge about phishing have not stopped the problem, however. The best defense is often a combination of email filtering and monitoring to quickly identify malware activity on the network.

But no matter how much a company invests in technology and process to protect against threats to intellectual property, at the end of every security chain sits a human being. While there is increased awareness of the threats posed by cyberattackers, human carelessness is very often the catalyst for major cybersecurity breaches.

People practice poor password management habits and use the same password for personal and professional devices and systems. They fail to fully power down a laptop in order to engage the hard drive’s encryption before leaving it unattended. They allow someone without proper identification to “tailgate” into a secure area. They conduct sensitive business over unsecured WiFi connections. The list goes on. Companies should not neglect the human element of any security program and should be sure to invest in effective and ongoing security awareness training. To further mitigate human risk, companies need to restrict access to sensitive information to include only those people who require such access to carry out their job responsibilities—and even authorized access to sensitive information should be carefully logged and tracked.

Performing Cyber Due Diligence
What’s a potential investor to do? First, the investor should attempt to assess the level of cyberrisk involved in the investment. How much of the value of the company is tied up in IP and how catastrophic could a network intrusion be for the company? The degree to which a cyber due diligence component should be added must be driven by the perceived risk. If cyber due diligence is warranted, the investor should first ask about the company’s information security program. Is it based on a standard like CoBit or ISO 27001? Does it cover cyber, physical and personnel risks? When was security last subject to independent reviews or testing?

Tests can consist not only of external attacks to attempt to penetrate the system’s defenses, but also internal testing. Often called vulnerability screening, this process can enable the company to take specific steps to mitigate risk to identify problems like unpatched systems, systems with default passwords, and machines running unnecessary, risky software.

Investors should then consider using the “trust, but verify” standard. Depending on the nature of the investment and the particular circumstances, a third party review could be required as part of pre-transaction due diligence. Alternatively, the transaction could be written to require reasonable testing to protect both the company and its investors. The required tests should include penetration and vulnerability testing and application-level tests for at least a sample of Internet-facing software. The company’s security architecture should also be reviewed, including physical and personnel security, access controls, security awareness training programs and an analysis of risks related to partners (such as software-as-a-service outsourcers, cloud services and any other services that can affect sensitive and proprietary data and intellectual property).

The very fact that such tests will be required can jump-start a company into catching up on basics and thus reduce risk. But given the fast evolution of risks associated with intellectual property in a hacking-crazy world, having a periodic independent review by specialists is becoming the standard to protect intellectual property.

In any event, a cyber due diligence component should help investors make more informed decisions about the risks involved in a given transaction—and can create a helpful roadmap on how to mitigate those risks. Such an understanding can provide leverage during the negotiation phase and potentially help an investor maximize value over the long term.
Alan Brill is senior managing director for Kroll's Cyber Risk practice, where he consults with law firms and corporations on investigative issues relating to computers and digital technology.
Jason Straight is managing director at Kroll Advisory Solutions and provides expertise on information assurance, computer forensics and cyber investigations.