I have written before about the wisdom of involving security early in the process of acquiring another company. But given what happened at my company last week, it’s probably a good idea to say it all again.
At issue: The company has signed a deal to acquire a small software company, but no security review was conducted ahead of the deal’s close.
Action plan: Quickly assess the company’s weaknesses and shore them up just as fast.
The CFO broke the news that we were acquiring a smaller software company in a meeting with most of the executive staff and other department heads. It was greeted as a welcome development, since we had been struggling with the question of whether we should divert resources to develop a needed feature in our product or instead purchase a company that could fill that gap. The problem for me was that I was learning this news along with the other department heads, even though the deal was already signed. I would be given a couple of weeks to conduct due diligence, but it was too late for any discovery that I made to be used as leverage to reduce the acquisition price tag — or even to scuttle the deal entirely.
The risks that might be uncovered in such a review can have tremendous implications. For example, it isn’t unusual for a small software company to use someone else’s proprietary software code as a base platform to build upon (why re-create the wheel, right?). The acquisition target might infringe on copyrights in less significant ways, as well, requiring fees to be paid. Those are just two of the many land mines that can be hidden from view in an acquisition, and both of them carry potentially large financial burdens that could fall on the acquiring company.
Although there was no chance of backing out of the deal, it was still important that I conduct a review, so that we would at least know what sorts of problems were in store for us. I dusted off my M&A questionnaire and got to work. After several sessions with the company’s small IT team, engineering department and customer service folk, I had a decent handle on the security maturity of the company — or rather, it’s security immaturity. It fell short on several measures.
This didn’t surprise me, since the company doesn’t have anyone dedicated to overseeing security matters. In fact, it was obvious from my review that security wasn’t a priority. Nearly all of the company’s infrastructure was installed on virtual servers located in a small data center closet, with all the servers on the same network and several exposed to the public Internet. One of the servers was hosting Subversion (used for source code management) as well as a wiki to manage product ideas and changes. Another was being used for the open-source PBX phone system Asterisk. The company’s public-facing Web server was also acting as the corporate mail server.
Sign up for Computerworld eNewsletters.