INFORMATION SECURITY DUE DILIGENCE – DID YOU JUST BUY AN ASSET OR A HEADACHE?

According to Bloomberg’s ‘Global Financial Advisory Mergers and Acquisitions Rankings Q3 2013’, mergers and acquisitions increased 33 percent year over year in 2013. Of particular interest is technology sector activity, which was at a five year high during the third quarter of 2013, leading to buyers paying the highest premium on technology companies. Purchasing high premium companies typically includes intellectual property, private information databases (big data), source code, critical systems, and/or trade secrets, among other items. However, there is a unique threat to these types of assets in that they can be stolen or subverted without the data owner’s knowledge and often leave little evidence that the asset has been compromised.

While high profile news stories are published about data thefts from large organisations and retailers, many more data breaches occur that are not disclosed or aren’t deemed appealing enough to get articles written about them. According to datalossdb.org, an open source data breach tracking database, over 2200 companies experienced data breaches of protected Personally Identifiable Information (PII) during 2013. Most of the breaches are occurring at midsized and smaller organisations. The 2013 Verizon data breach report (a study of trends in data breaches investigated by 19 different forensic investigation companies) indicated that over 65 percent of the data breaches investigated were at companies with less than 10,000 employees. Oftentimes, midsized to smaller organisations have weaker protections on their data and are easier targets. The report also documented that for 66 percent of the investigated breaches, compromised organisations did not discover the intrusion for a period of multiple months to years after the initial compromise. This lengthy timeline to discover a breach results from the fact that almost 70 percent of the breaches were discovered by third parties rather than the organisations themselves. 

Apr-Jun 2014 Issue

McGladrey LLP