ACSC issues M&A specific cyber security advice

The Australian Cyber Security Centre (ACSC) has issued cyber security advice for organisations facing mergers and acquisitions.

Such periods of change “create significant upheaval and disruption to the normal flow of business” and are a boon for cyber criminals, the centre says.

The disruption during times of major change creates a “significant opportunity for adversaries” as colleagues get to know each other, data is migrated, new connections are made, permissions are set, and different security postures are aligned.

The threat is confounded by the fact staff are operating in an environment of uncertainty, vague reporting lines and time pressures, the ACSC adds.

The human factor is one of the biggest risks, the advice notes.

“During major organisational change, staff may find they are under pressure to accept the validity of requests for data, payment or access from people they don’t know, and cannot easily verify the identity and authority of. Adversaries use this pressure to increase the likelihood of successfully using techniques such as business email compromise and CXO impersonation,” the advice reads.

Staff should be properly briefed on the risks they pose, and be told to refuse requests for access, payment or data until they can verify the requester’s identity (in person or via a known telephone number) and authority.

Introductions should be organised as quickly as possible, the ACSC adds, so staff know who they are dealing with.

The publication’s advice also applies to Machinery of Government (MoG) changes, and supplements an Australian Public Service Commission MoG guide.

“Cyber criminals know that major change brings disruption, making it easier to scam staff and compromise systems with social engineering attacks such as ransomware, business email compromise, payroll fraud and phishing campaigns,” the centre says. 

“The reality is that organisations must be prepared, well before they announce they’re entering an acquisition or merger,” it adds.