There is a lot that goes into buying a business, in fact it can be quite complicated. Everything from valuing the business, making the offer, closing the deal, and everything in between. These processes can take time, especially when thoroughly vetting the business for purchase. An often forgotten about or tossed down the road for later, is a thorough review of the IT infrastructure and cybersecurity policies and procedures. Four years ago Marriott hotels found this out the hard way by suffering a large data breach.
What happened
Way back in 2016 Marriott hotels purchased Starwood hotels and two years later still did not have Starwood using the same reservation system as Marriott. The cybercriminals compromised the unsecure Starwood system and accessed hundreds of millions of records.
Steps you can take
When buying a business, auditing the current IT infrastructure, cybersecurity policies, and cybersecurity practices is absolutely critical. You will be purchasing whatever configurations, settings, lack of security that is present. If it is a mess, it becomes your mess. It could even become a nightmare, like Marriott faced.
Some questions to ask the sellers towards the beginning of the purchase process:
- When was the last cybersecurity audit?
- Do they have cybersecurity policies?
- Is there an employee cybersecurity training program?
- Have they ever suffered a data breach or successful cyber attack?
Here are some things to do if purchasing is imminent:
- Ask if your IT and cybersecurity teams or vendor can be given a through review
- Ask for any previous cybersecurity audits for review
- Request to be introduced to any vendors or service providers
Some things to keep in mind once the business has been purchased:
- Review all cybersecurity policies and practices
- Audit the IT infrastructure, note any 3rd party solutions and vendors
- Implement new security measures
- Remove/disable all previous owners and employees access
- Review all third party and vendor agreements
Please remember these are all just a starting point when purchasing a new business. Having a team of experts can really help ensure no stone goes unturned.
Subscribe to our monthly email newsletter to keep your small business up-to-date on all the latest cybersecurity news! For more information on protecting your small business from cyberattacks and other cybersecurity topics check out Small Business, Big Threat!