Ilia Sotnikov, Security Strategist and VP of User Experience at Netwrix, is a visionary and technology evangelist in cybersecurity.
Today, a merger or acquisition involves not just combining businesses, but legacy IT environments as well—along with all their risks and problems. Accordingly, in addition to a thorough financial and legal audit, due diligence in any M&A deal must include a comprehensive cybersecurity assessment.
Consider when Marriott acquired Starwood Hotels in 2016. Along with 11 new brands, Marriott inherited intruders lurking in Starwood’s network, which had been infiltrated two years earlier. Marriott didn’t discover the breach until 2018, by which time the intruders had compromised Marriott’s data as well.
To prevent situations like this, this article will explore the cybersecurity risks of the M&A process that are easy to overlook and provide recommendations on mitigating them before Day 1 happens.
Easy-To-Overlook Cybersecurity Risks Of An M&A
While there are numerous facets to a cybersecurity audit during a merger or acquisition, some important aspects are often passed over. Here are a few key insights that deserve attention:
Considering Risk Decision Alongside Business Decisions
There is often a tension between the desire for rapid productivity gains and the need for robust cybersecurity measures during mergers and acquisitions.
A decision to prioritize speed over security ultimately falls to business leaders. IT teams may not always clearly communicate the potential risks associated with expedited integration timelines, leaving management without a complete understanding of the cybersecurity implications.
This communication gap can lead to critical vulnerabilities being overlooked, as management may prioritize faster time-to-value without fully grasping the associated risks.
Leveraged Uncertainty
Mergers and acquisitions present lucrative opportunities for cybercriminals to exploit the stress and urgency that begins spreading among employees the day the deal is announced.
One common technique is social engineering attacks. For example, adversaries may target anxious employees with phishing or malware-spreading emails that impersonate HR communications about layoffs, benefits or policy changes. They might also use business email compromise (BEC) attacks to spoof the incoming CEO or CFO, tricking financial executives into initiating fraudulent transactions.
Insider Threats
While internal threats are always a concern, the risk escalates during the transition period of an M&A.
For instance, IT personnel from the acquired entity may believe they will be retained only for the transition and let go afterward. This stress can affect job performance, leading to incorrect configurations or security gaps that can be exploited.
In the worst-case scenario, this lack of awareness and increased anxiety may result in sabotage or intentional malicious actions by insiders.
Third-Party Liabilities
Vendors and third parties that access the confidential or proprietary data of the company being acquired can create an additional site for potential breaches.
For instance, lack of understanding of the scope of contracts and regulations and improper data-sharing practices can expose the acquiring entity to loss of trade secrets, sensitive customer and employee information and other critical data post-acquisition.
Mitigation Strategies
To mitigate these and other risks, companies should ensure these strategies are an integral part of their M&A processes:
Do your due diligence.
Effective IT integration requires close coordination and collaboration between management and IT teams from the two or more organizations involved. Management must understand the cybersecurity risks and their potential impact on business operations, while IT teams need to provide technical expertise and guidance on mitigating those risks.
The acquiring company should learn as much as possible early on and avoid assuming it excels in everything just because it is bigger. Smaller organizations may have specialized security skills that fill gaps in the larger organization.
Utilize third-party security firms.
Early IT environment evaluation might be tricky. Deals don’t always close, so the target company may be hesitant to share sensitive information and let the potential acquirer into their IT infrastructure until quite late in the process.
Third-party firms can help here, especially ones that excel in penetration testing and risk assessments. In fact, the selection of an appropriate firm can be part of the negotiations.
Budget in advance.
Part of the IT integration process involves standardizing technology and security tools, which can lead to added expenses. For instance, if one company uses a single sign-on (SSO) service for their environment but the other doesn’t, additional licenses must be budgeted to ensure proper security across the newly combined entity.
Organizations typically have different security standards and requirements, and decisions must be made about what to standardize. Be prepared that the existing contracts can be difficult to terminate and funds may not be available immediately even if you stop using a specific service.
Because of these factors, an effort to align security practices can often require upgrading subscriptions or service packages to an enterprise level, also leading to additional expenses.
Communicate openly.
Effective communication is crucial in any relationship, especially during the M&A process. Understatement between IT security and the business, for example, can lead to poor risk decisions. Open internal communication among all other employees from both organizations is equally critical.
Once the merger or acquisition is announced, short and long-term plans should be clearly conveyed, as should assurances about the future. Every employee should have a clear understanding of how to report issues or suspicious system behavior and who to ask for help. They should also know what corporate HR and IT communications now look like.
To accomplish this, managers should be armed with comprehensive information to drive down confusion and anxiety that might otherwise lead to mistakes and negligence.
Conclusion
A merger or acquisition can be a daunting endeavor but it is crucial to ensure that IT security has a proper place at the M&A table alongside finance and accounting. Effective integration of technology and security measures thorough due diligence and clear communication can mitigate risks and pave the way for a successful deal.
By prioritizing cybersecurity throughout the process, organizations can protect their assets, maintain compliance and achieve a smoother transition, ultimately securing the future success of the combined entity.
Forbes Technology Council is an invitation-only community for world-class CIOs, CTOs and technology executives. Do I qualify?
