How legacy systems are threatening security in mergers & acquisitions

By Michael Chada and Brandon Lage

Old lock
Image source: 123RF

Antiquated legacy systems are holding organizations back from technological innovation. 

Why? Because of technical debt, which refers to the inefficiencies that arise when IT solutions and resources no longer meet an organization’s needs. These could result from legacy systems using too much energy or effort, struggling to integrate with newer IT technologies, or generally being underutilized across the organization. 

Technical debt is widespread among today’s organizations, with nearly seven out of 10 saying it greatly impacts their ability to innovate (PDF). In other words, the technical debt bill is coming due, and even if today’s IT leaders weren’t the ones overseeing the technology’s initial implementation and use, they’ll be the ones stuck writing the check. 

As with many things in life, the allure of buying new things to paper over old problems can be compelling. For businesses, technology add-ons and upgrades can seem like a magic bullet; in reality, they’re more likely to mask the foundational issues related to legacy systems than cure them. Most organizations view IT from a “do no harm” point of view — if it’s working well enough, why not leave it well enough alone? This is only natural.

Unfortunately, as many businesses are finding out, this only leads to larger issues down the road. While it’s tempting to pass the buck on addressing deeper IT issues, the game of musical chairs inevitably ends, exposing businesses to greater problems and risks.

What legacy systems mean for cybersecurity 

Here’s a simple fact: Legacy systems are far more likely to get hacked. This is especially true for companies that become involved in private equity transactions, such as mergers, acquisitions, and divestitures. These transactions often result in IT system changes and large movements of data and financial capital which leave organizations acutely vulnerable. With details of these transactions being publicized or publicly accessible, threat actors can specifically target companies likely to be involved in such deals. 

We have seen two primary trends throughout 2023: 

– Threat groups are closely following news cycles, enabling them to quickly target entire portfolios with zero-day attacks designed to upend aging technologies — disrupting businesses and their supply chains.

– Corporate espionage cases are also on the rise as threat actors embrace longer dwell times and employ greater calculation in methods of monetizing attacks.

Together, this means the number of strategically calculated attacks — which are more insidious than hasty smash-and-grabs — are on the rise. It is not uncommon for malicious actors to lurk as sleeper cells in legacy systems, striking only when the opportunity to capitalize is prime, such as the scaling up that comes with M&A transactions.

How to plan for M&A risk exposure

Addressing legacy systems should be understood as more than just a risk mitigation exercise.

We’ve found that tackling these projects during the hold period lowers complexity to improving the speed of integration for tuck-ins and add-ons. When the time comes to sell, it can also be an important factor in justifying enterprise IT value creation.

A hard truth about IT security is that no amount of time or money can guarantee a company invulnerability to attackers. Organizations should identify the level of risk they are comfortable with and consider both short- and long-term solutions to mitigate potential threats. 

In the short term, consider segmenting systems via network controls; creating nosier and more restrictive endpoint detection and response (EDR) policies; building a tighter authentication architecture; or increasing security information and event management (SIEM) alerting and monitoring. These compensating controls, while not foolproof, can be a reasonable half-measure to addressing highly vulnerable legacy systems. Take small steps carefully to ensure you can protect as much as possible. 

For the long term, consider incorporating an IT hygiene line item in the budget. Quick fixes seldom offer long-term solutions, but budget appropriation allows problems to be pre-empted and addressed consistently over a manageable timeframe.

So, whether you’re ready for a full system overhaul, or find that baby steps are more your speed, you can make sure you’re heading in the right direction. It’s a process of continuous improvement, not a ten-step journey. Simply put, security isn’t a project — it’s a way of life.

About the authors

Michael Chada

Michael Chada is Co-Founder and Partner at Enduir Cyber. As a partner at Enduir, Mike focuses on engaging with clients during their time of need and driving meaningful change in proactive strategic infrastructure security engagements. By advising hundreds of clients through complex cybersecurity incidents and time-sensitive M&A transactions, he has developed a balanced approach to cybersecurity that prioritizes business needs while understanding technical dependencies.

Brandon Lage

Brandon Lage is Chief Executive Officer and Founder of Fission Consulting. The company focuses on better serving IT initiatives specific to merger, acquisitions and divestitures. Brandon works to form strong partnerships with clients, gaining an effective understanding of client needs and helping lead IT initiatives toward success and customer ROI.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.