Many US companies are regular targets of cyber-attacks, sparking the need for cybersecurity preparedness. Joining Domenic Rinaldi today is Craig Sherwood, a partner at Shambliss Security, a leading company in the cybersecurity industry. With the threats that companies face every day, the breadth and depth of issues that Shambliss deals with are tremendous. Craig explains their roles in protecting organizations, including mergers and acquisitions. He also talks about insurance and why it is vital to go over the core areas of cyber liability coverages before renewal with your agent. Don’t miss this episode to learn assessment strategies that aid in making cybersecurity more efficient.
Listen to the podcast here:
Cyber Security Preparedness With Craig Sherwood
In this digital world, cyberattacks can happen anywhere resulting in increased data breaches. This has become a significant issue for business owners and leaders. Maybe not so surprisingly, this has become a hot button issue for business acquirers. Companies want to know that they are acquiring a firm that has taken the necessary precautions to protect the company’s data assets. Our guest, Craig Sherwood, is a partner at Shambliss Security. They specialize in the entire spectrum of concerns related to cybersecurity. Their team has the experience to assess and implement the proper strategies to close the gap between your risks and cybersecurity peace of mind. Craig, welcome to the show.
Thank you for having me, Domenic.
Right off the bat, I’m a little over my skis here. Cybersecurity, I haven’t done a ton with, but I’m excited to learn about it because it’s such a big issue. If we could start with maybe provide the M&A Unplugged Community a background on yourself and an overview of Shambliss.
A little background about myself, I’ve been in professional service and IT consulting for many years. I’m born and raised in Chicagoland. Ideally, the way that our organization goes to market is very simplistic. Shambliss Security is a provider of cybersecurity solutions. We offer a complete portfolio of strategic services to help our clients not only define their security programs but also identify their risks and deploy the right technologies so they can be operationally effective.
More importantly, for our audience, to respond to the threats and breaches or potential breaches that are out there. The best way to explain how we go to the market and what we do most succinctly is the idea that we differentiate our self by our competitors by being objective, unbiased and ideally experienced security solutions that need to not only accelerate their growth but more importantly drive operational efficiency so they can reduce their risk when they’re looking to purchase an acquisition.
Let’s talk a little bit about cybersecurity and the definition of it. It’s growing in and the definition is getting wider. The threats are coming from all sorts of angles. Let’s talk about the breadth and depth of things that you deal with to identify for companies.
When we work with organizations that are looking to acquire or divest in an organization, it starts with a couple of different things. Number one, the most prevalent thing we need to look at is where their data is. When we say data, what is it and where is it stored? What is the data? Is the data a sensitive material, like for example, Social Security numbers and dates of birth? Is the data intellectual property like for a manufacturer where if that data falls into a competitor’s hands, they could lose competitive advantage?
What types of companies do you typically work with? What’s your target market?
Our target market is the middle market. For our definition of the middle market, it’s anything under $250 million in revenue a year.
When we first started talking, you had mentioned that you do a lot of this work in mergers and acquisitions. Can you talk a little bit about that?
One of the things we always like to identify when we talk to a private equity organization and/or a venture capital organization is to uncover what they’re doing. In this marketplace, having an advantage, having an opportunity to negotiate that is unlike any other, is in the cybersecurity space. I’ll give you an example that’s out there easily. When Marriott Corporation merged with Starwood, everyone had done due diligence and supposedly they had done cybersecurity due diligence. After the transaction happened, they found out there’s a major breach that happened between Starwood and Marriott. There was a post-acquisition alteration of the deal because due diligence from a security perspective wasn’t done. When we work with venture capital organizations and private equity organizations, that’s one of the greatest attributes we can say if we point to something like this. If you can save the acquirer money and increase the value, that’s what we’re there to help them to do.
Are you typically coming into an M&A deal to do this cyber assessment? Is the buyer bringing you in or do you sometimes work on the seller’s behalf? How does that typically work?
It’s typically a 60/40 split where we’ve brought in 60% by the buyer side. There are a couple of big benefits to the buyer side. Number one is to protect the brand. It’s very important to want to make sure that nothing goes haywire and nothing happens to the deal because there’s something happening as far as the target acquisition. The other major benefit when we work on the buy-side is the idea that you can demonstrate to your stakeholders and the regulators that every rock has been turned over to make sure there are no issues that are going to happen post-acquisition. On the flip side, the greatest example I can give you is if you’re a seller and you’re looking to divest your organization. One of the things we always give an example of it is you’re looking to sell your house. If you’re going to go out and sell your house, are you going to sell your house with a bunch of holes in your walls? You’re not. By doing that, propping up and fixing may be what you have in-house, it maximizes your value as the seller to protect against a devaluation from the buyers.The cost of not doing anything affects the M&A transaction very heavily. Click To Tweet
I imagine something like that gives buyers peace of mind that the business that’s being transferred is a clean asset and that always improves value for an owner?
The example I always give somebody is you don’t want to have a dirty environment for us. You don’t want to have something that’s going on in the background while you’re trying to close a deal. Most mergers and acquisitions like to close in 30 to 45 days. If we come in and do our assessment for an organization, we’re in and out within 10 to 14 days. We’re definitely within that time barrier to close a deal. If there’s something that we report to a buyer and we say, “This has to be sewn up. You have major exposure,” that’s something that they need to consider when they do their transaction.
I want to get to what specifically you do when a company calls you in. Before we do that, maybe you could help the M&A Unplugged Community and me wrap our hands around this? How big of an issue is this? Are there statistics? Is there data out there about how many occurrences are occurring? What’s this costing the economy?
There are lots and lots of data from large organizations. The greatest single attribute that I can attest to you is the fact that the cost of not doing anything affects the M&A transaction very heavily. A good example of that would be if you are acquiring a company and you are looking at equality in the earnings report and it says X. The seller has equality in earnings that says Y, there’s a balance. What we find in the transactions is sophisticated buyers in the private equity area are coming to the table and saying “We’ve done cybersecurity assessments and enterprise security assessment. We feel that the carve-out to mitigate the risk is X amount of dollars.”
As a seller, when you come to the bargaining table and don’t have anything to counter that, it’s a disadvantage. That’s something that is important to understand is you have to have all your tools in the wheelhouse available to act upon. What we’re finding is one side or the other in the negotiating table has it and the other doesn’t. As deals become more complicated, as money freeze up, there are going to be more attributes and more checkboxes in that due diligence and one of them is going to be doing a security assessment prior to a deal.
I even read a statistic somewhere that said the companies in the US were number one in the world as far as being susceptible to cyberattacks. Is that an accurate statement?
It’s very much an accurate statement. As far as the attacks themselves, it’s a wide range of attacks. If you are in the online retail business, like an Amazon, and that’s a large example, but if you’re not protecting your digital assets from third party threat actors when you do online retail, you can be shut down by the banks because you are not in a regulatory compliance issue called PCI. If you are not PCI compliant as an online retailer, your banks can say, “We don’t want to do business with you as an entity,” and you’re out of business. That’s a great example.
Another example that everybody hears about is ransomware attacks. What are ransomware attacks? Those are threat actors who basically come in and shut down your organization. Until you pay them, they’re not going to give you the keys to the kingdom to turn your company back on. That’s a huge issue that’s happening. More and more organizations are buying cyber liability coverage to mitigate those costs. However, you, as an organization, have to protect yourself on a daily basis.
I could get how an Amazon and companies like that are probably under attack all the time in the major credit card platforms. If I own a $15 million, $20 million manufacturing business or healthcare-related business, do I need to worry about this at the same level that these large multinational companies are worried?
I would say yes, in my professional opinion, and the reason being is that large enterprise global organizations have a fiduciary to report these small middle-market businesses where we focus, do not have a public interest in mind. They’re not answering to a board of directors or shareholders. Typically, small and middle-market organizations are privately held. One of the things that we always try and explain to our customers is the idea that the remediation costs to fix your problem once it happens is significantly greater than trying to do it ahead of time. Fixing it after the fact is costly.
To give you some simple statistics, the average time to identify a breach of any sort is roughly about 200 days. That’s a huge amount of time from start to finish. In 2019, the average cost of a breach was roughly $8 million for a middle-market organization. The average cost for a small business, in my opinion, small is under $10 million, roughly about $375,000. A small-medium business that does $10 million, can they absorb a $350,000 or $400,000 loss? I would be challenged to say they could recuperate that.
Almost or over a half a year to even know that you’ve been breached. People have breached their systems. They’re poking around and the average time is they’re poking around for over half a year?
Yeah. A great example is if you’re an executive in an organization and you do online transfers, ACHs, or potentially wire transfers, and someone is in your system waiting. They see an email. They looked to see how you and your financial controller or CFO work. If you know that every Friday you release wire transfers, you can potentially, if you’re in there, mitigate and get in there and say, “We’re going to make this name change and add a number one or add a question mark.” They’ve mimicked your responses as an executive, they now have potentially the ability to make financial decisions and take money that should be going out as regular operating business costs and send them to something that is in an overseas bank. As the fiduciary responsibilities owned by a CFO, they have to be able to have checks and balances. If those checks and balances and policies and procedures are not in place, it gives the third-party threat act or the ability to manipulate and take advantage of their mistakes.
I would argue that business under $10 million that gets hit with almost $400,000 cyber cost, that’s going to be painful. Does insurance cover that?
Yes, with a great caveat saying that not all insurance carriers cover the same things the same way. A great example that I would give you as well would be something along the lines where we have a customer that had a ransomware attack. They did not have the right cyber liability coverage. They thought their tech errors and omissions coverage would cover this breach. It did not because there are specific exclusions that are in cyber liability coverages and regular errors and emissions coverages don’t necessarily intersect. They run parallel. What I would advise anybody from the podcast now is to have a sit down with your broker, with your insurance agent to go over the core areas of cyber liability coverages prior to renewal to make sure you have the right coverages for your business.
Let’s move over to Shambliss. Let’s talk a bit about your approach. Somebody has called you in and it said, “The company hasn’t gone through an assessment.” What are the steps? What’s involved in what you do? I know that you guys also will implement the necessary changes as well.
We take a multistep approach. Our organization comes in and focuses on the beginning to set a foundation. The way Shambliss sets a foundation with any organization is we come in and ask business-level questions and work our way down. What I mean by that is we will work with a CEO, a CFO, a director to find out what their business does, be an advisor to their business, and do what we would call a functional assessment. Based on that functional assessment, we will then understand where their business is and where they want to go. What we do is we come in and we do what we would call an enterprise security assessment, which is a technical term for doing checks and balances on their state. Once we do that, what we like to do in our enterprise security assessment is we give clients three documents. Number one, we give them an executive summary and we give them dashboards. It’s easy to understand as a business owner at the middle market to say, “Strategically, these are where I can go and this is where I need to be.”Have a sit down with your insurance agent to go over the core areas of cyber liability coverages prior to renewal. Click To Tweet
The second item that we always give them is what we call a security maturity model rating. We pick certain domains where we rate the client as far as what they have 1 to 5, one being very poor, five being great, and perfect. I would say to you that most organizations that don’t have any security rate towards the bottom half. People that are in the middle have an idea of what they’re doing. The people that are sophisticated are typically on the higher side. That maturity scorecard gives leadership in organizations the ability to understand where they are and where they want to go to. The last part of our assessment, which is the most important part, is giving an organization a roadmap that they can utilize to be able to be manageable and scalable to move forward in their security posture. Because ultimately if their maturity model overall is a one and they want to go to a three, by giving an organization a roadmap, we can help them identify and get them to the next level.
Let’s go back to that first step where you’re doing the assessment. What exactly is your team doing in that step? Let me tell you what I envisioned as I hear you talk about that. I envision a team of techie guys sitting in a room and trying to pound on that company’s servers and all their data assets and trying to breach and breakthrough every wall they think they can. Is that essentially what happens?
In the assessment phase, that’s not what happens. In the assessment phase, what we do, which is a little different than most organizations, is we’re not there to physically break down their systems. What we are there to do is look at it from a business perspective. We want to understand what critical issues are important to them, number one. One of the biggest things that we talk to them about across any organization is having a clear understanding of where their data is. We can talk about technology. We can talk about security and privacy, but ultimately, there are five things that we asked somebody in the assessment.
Number one, what is their sensitive data? Number two, where is there sensitive data being stored? Number three, this is the most important in my opinion, what security threats do they think they’re exposed to? Number four, what is their current security posture? Most importantly is how do they protect themselves now and in the future? By having an assessment on a business level, we uncover these things. We try and provide them a basis for the business going forward versus technology.
Once you do this assessment, is it then you’re delivering back to them some solutions that they might want to implement in an implementation phase? Are you testing some of their holes in their technology?
Yeah, when we do our assessment, it’s a multipronged approach. The assessment is a fixed timeline, fixed fee procedure. Once we give the customer the three documents, the dashboard with the executive summary, the risk modeling and the remediation roadmap, we sit with them and say, “Here’s where we feel you need to be as far as the remediation roadmap and here are your greatest risks, red, yellow, green.” We then say to them, “Here’s what you should do. What would you like us to do?” Phase two is mitigation where we put together a project or a project plan to get them from point A to point B. Lastly, once we would mitigate the issues that they would have that was uncovered from the assessment, we could help them manage and monitor it long-term.
What does mitigation look like? I imagine it looks like all sorts of things, Craig. Is it a combination of hardware, software or third-party solutions? What does that look like?
I would say to you, it can be all over the board. I’ll pick one area for our audience now. When we go in and we do an assessment, I would say if an organization has never thought about security seriously in the past. One of the biggest issues that we are confronted with is they don’t understand that they need to have policies and procedures in place. If and when something happens, they know how to react. What is uncovered in an assessment is basically stated, “We have a business continuity plan, but we do not have an incident response plan.” An Incident Response plan or IR plan is identifying when something is broken into how you as an organization react. Most companies that we work with that never had this before are like, “We need to have this. This will get us where you don’t feel like, ‘The sky is falling. What do we do?’” They feel prepared.
There are companies that have lots of employees out there that are going to travel to sites that you know aren’t safe and potentially put the company at risk. How do you protect yourself against those individual users and make sure that you know their computers are not getting breached and that it reaches back to you? What if they use multiple computers? You’ve issued them maybe a company laptop, but they also have a desktop at home or an iPad and they’re maybe getting into your systems from multiple devices. How do you accommodate for something like that?
The best accommodation that I’ll identify maybe in a two-prong approach is education, number one, backed up by a strong policy and procedure by your organization. A great example is let’s say you are an outside sales working for a multinational and you go to Starbucks. Most people log into the free Wi-Fi at Starbucks and ideally, you should not be using a third-party log in if you were working on a computer for a company. Therefore, if your organization has a policy and procedure in place and it states, “The only way you log in from outside the network is via a Virtual Private Network of VPN or you don’t have access,” that’s mitigated. The other way is very simplistic and to me, it’s common sense you need to educate your organization and create a culture that is based on security. That takes time. As your organization grows, that is something that you can do by doing online training. You can do that by tabletop exercises, which are exercises that reinforce online training. If you have a solid policy and procedure in place that gives you and the rest of your organization as leaders, the ability to say, “We’re doing the best that we can,” and that’s positive.
Do you have an example of where a company owner knew they were going to march down the path of selling their business, they brought your company in and you were able to move the needle in a meaningful way for them?
From the sell side, the greatest example that I can give you is we worked with a corporation that was based on the West Coast. We were brought in by an independent broker to help shore up the deal. One of the things that we began speaking to executive leadership was talking about how they specifically needed to have a security foundation as far as a framework. We talked about a security framework. These are standards that larger companies look to when they’re buying companies.
The greatest example that I can give to you and the rest of the audience now is ISO 27001 is a security framework that organizations need to comply with. If they do that, it gives them the ability to be more attractive to buyers. We were brought in to get them to be ISO 27001 certified. We came in and did an assessment. We found out they were nowhere near being able to get certification for ISO 27001. We gave them a roadmap to get there over a four-month period. They engaged us after the assessment to help them get from point A to point B. When they were able to then strike the deal about 4.5, 5 months later, the buyers came to us. They said one of the reasons why they went through with the deal was because the leadership of the seller was so committed to shoring up and getting the ISO certification.
After you had implemented and gotten them certified, who then manages that on an ongoing basis? Is it somebody internally? If you don’t have the resource internally, is that something that your firm would do or is there another third-party that they would look to bring on?
Depending on how the organization is set up, in this example, when the acquiring company bought this organization, they had a CISO, a Chief Information Security Officer, on hand. However, they did engage us and we do offer this service, where we have a virtual CISO. These kinds of services are ad hoc. If your organization is a lean organization and can’t afford, nor do they want to have a specific headcount for a security leader, this is an opportunity for us to come in ad hoc and help an organization piecemeal do what they need to do to get from point A to point B. It’s a win-win for everybody.
Who typically brings you into a deal? Is it an attorney that’s bringing you in or an accountant? How do you typically get introduced into a deal?
We get brought in 1 of 2 ways, either by a large financial organization, a private equity organization, or a venture capital firm or by the attorneys. We work with a great number of middle-market attorneys across the country. We are brought in side by side at the point they want to put a letter of intent together. We get brought in next to them. We don’t work under the attorney-client privilege. We work right next to them for confidentiality reasons.
We had an attorney on not too long ago, Geoff Cockrell from McGuireWoods. He is the practice leader for the private equity part of that practice. I don’t know if you know those people, but if you don’t, that’s somebody you definitely should get introduced to and I’m happy to do that.An assessment provides a basis for the business going forward versus technology. Click To Tweet
I’d love to have the opportunity. I would say the greatest asset that we can be to any private equity organization, venture capital or law firm is knowledge. Let us help you help your clientele. We are the subject matter experts that can help define and help you mitigate the bumps in the road of a deal and be able to negotiate positive or negative the reality of the technology. That’s what we do well.
This is an issue that’s not going away. It’s only probably going to escalate. It’s something that more and more people are going to start hearing about and doing. It might not seem to some of the smaller clients that are reading the blog. You have to be aware that this is a threat out there and it could cause some significant monetary damages and reputation damages as well, which go way beyond what the monetary damages are.
The brand reputation is significant. No one wants to have a political or marketing nightmare that happens when you hear a large organization had a breach or had an incident. To modify this to the middle market, the best example that I can give is protecting your assets against the ability to do business with your clients and your new potential clients. If new potential clients here are aware that you had a data leakage issue or a cyber incident, they could be not wanting to work with you because they don’t know what’s at risk. Contractually, in our industry, we see a lot of companies going to where they have master service agreements and they have flow downs saying, “You will protect our data and your data or we will not do business with you.” From a business development standpoint, it enables companies that have gone through an assessment, that have had penetration tests, who have great policies and procedures in place to use that as a positive marketing tool to get new business because their competition is not doing that.
Craig, this has been great information. I learned a ton. Is there anything that we didn’t hit on that would be important for the M&A Unplugged Community to know?
The one thing that I would leave with you and the rest of the M&A Community that reads this blog would be knowledge. If we can understand what the business driver for any deal is, the idea here is we want to protect and uncover flaws that are normally hidden so that the deal goes through and it doesn’t cost the acquirer or the seller dollars. At the end of the day, it’s all about dollars and cents, and that’s what we want to do. We would love to get a true cost of the deal and protect against vulnerabilities that you might not be aware of.
Craig, if people wanted to get in touch with you to learn more, how could they reach you?
They can reach me at [email protected]. I can also be reached by phone, area code (847) 323-4001.
Craig, thanks so much. It’s a pleasure having you here.
Domenic, it’s been all my pleasure. Thank you for having me.
M&A Unplugged Community, let me recap a few things that came up during our conversation here with Craig. Number one, US companies are the number one target in the world for cyberattacks. People are trying to pierce our networks, get to our data and we need to be diligent about protecting that. The average cyberattacks, as you heard Craig talk about, was somewhere between 400,000 and several million dollars for lower-middle market companies. Those are not small numbers. What blew my mind is it takes about 200 days even to identify that you’ve had an attack.
Think about all the things that somebody could be gathering from your data that you don’t even know is happening. We also talked about insurance. Go back and check your policies, make sure that your insurance policy covers cyberattacks. If not, have your insurance agent amend that and make sure you’ve got the right coverage. The last thing, probably in my view, the most important to the longevity of the business is the brand reputation hit that you could take if you do suffer a cyberattack and your client’s data or other data is taken and used in some other ways. If you would like to learn more about the process of acquiring or selling a business, please visit our website at SunAcquisitions.com or feel free to reach out to me at [email protected]. I look forward to seeing you again on the next episode of the M&A Unplugged show. Until then, please remember that scaling, acquiring, or selling a business takes time, preparation, and proper knowledge.
Love the show? Subscribe, rate, review, and share!
Join the M&A Unplugged Community today: