Cybersecurity: A Priority in M&A
According to Netscout's Threat Report for the second half of 2022, Brazil ranks first among countries with the highest volume of cyber attacks in Latin America. Another survey conducted by Datafolha also reveals that 57% of Brazilian companies face high or medium-frequency digital frauds and attacks. Sectors like healthcare, education, and financial services are particularly targeted due to the manipulation of sensitive customer and patient information.
While large companies make substantial investments in cybersecurity, small and medium-sized enterprises struggle to keep up the pace. When an acquisition opportunity arises from a larger company or a new investment round from a fund, these businesses quickly come into the spotlight and become vulnerable targets.
In recent tech diligence projects in critical sectors such as healthcare and financial services, our security engineering team managed to access the systems in question in a matter of hours, gaining access to sensitive information from clients and employees. This type of vulnerability not only violates data protection regulations (e.g. GDPR) but also opens doors to potential legal implications, not to mention the impact on both the startup's and potential investors' reputation.
In this situation, the technical teams collaborated intensely, and within a few days, the initial security issues were resolved. Additionally, a more robust process was developed to address security vulnerabilities in the future effectively.
And now, how to proceed?
Finding a partner to conduct technology due diligence is one of the most effective approaches during M&A or investment in a technology company. Even if your team understands the solution, the complexity of the technological stack and the volume of lines of code pose inherent challenges. Furthermore, the analysis mainly focuses on the functional aspects of the code. The limited time frame for these evaluations, the availability of internal teams, and the need for confidentiality pose an additional challenge.
At Avalia, we adopt a data-driven approach. We use tools that connect to code versioning systems (like Git and Bitbucket), ticket, and project management (e.g. Jira, Trello, etc.), which streamline the analysis and enhance its accuracy. Ultimately, the entire process is conducted within the target company's development environment, ensuring that the source code is not shared with the investor/acquirer, providing security regarding intellectual property protection on the sell side.
In the realm of security, we conduct code reviews to ascertain secure development practices, such as using cryptographic functions, validation layers, sensitive data management, among others. We validate the end product of these practices with software attack simulations in a controlled environment, allowing for corrective actions and early identification of existing vulnerabilities, thus reducing risks for all stakeholders.