A merger and/or acquisition (M&A) can be an excellent way to expand your business. Done right, they can bring in new capabilities, help you reach new market segments, and take competitors under your own corporate umbrella. Unfortunately, if you’re not cautious, they can also end up being a cybersecurity nightmare.
It’s no secret that cyberattacks have been on the rise as of late. Nor is it surprising that cybercriminals can exploit a larger threat surface than at any other time in our digital history. It’s your responsibility as a business leader to ensure your most valuable assets are protected and your security is as ironclad as possible. An acquisition, while it certainly makes sense from a business perspective, can put all that at risk.
Here are a few potentially fatal flaws in the M&A process that can expose your organization to cyberthreats.
A Lack of Due Diligence
By far, the lion’s share of problems encountered in M&As can be traced to one overarching cause: businesses aren’t conducting due diligence before going through with a purchase or merger. They’re focused entirely on the return on investment (ROI), only coming across its myriad problems after the deal is finalized.
Consider, for example, that a 2016 report from business and technology consulting firm West Monroe revealed that many businesses lacked security talent during M&As and that more than a third (40%) discovered cybersecurity problems in their acquisitions after their deals went through.
The solution to this issue is simple and twofold. First, security leaders, such as your CISO, should be involved in every deal. They have a better idea of how to track down potential security failings than most of your board, and they know what security policies, procedures, and infrastructure need to be reviewed. Second, it’s advisable to include external validation of an organization’s security posture, bringing in a third-party expert to verify that their security is up to snuff.
Protecting Sensitive Data
Another key challenge for an M&A—and one that will surface during the process—is data protection. At some point in the process you’re going to be transferring a ton of sensitive data assets between the two organizations. You must ensure that transfer can be completed securely, and that you have a means of protecting files related to the deal while it’s still being finalized.
A secure data room is a must. There are plenty of unscrupulous organizations and individuals who would love to sniff around the information M&A files might contain, such as potential security vulnerabilities, deal prices, roadmap details, and more. Those little tidbits of information can give someone a competitive advantage and cost you a great deal.
I’d advise also investing in some form of file security platform, a tool that allows you to remain in control of your data even if it passes outside your security perimeter. Not only will this help you keep sensitive data under wraps during the deal process, it can also facilitate the transfer of information from one company to another once the deal goes through.
Last but certainly not least, there’s the challenge of integration—ensuring the processes, policies, and infrastructure of one organization mesh with those of the other. You not only have to ensure all the data from one company is properly transferred, but also that any conflicts between different applications and systems are resolved effectively. The best way to achieve this is to plan during your due diligence stage:
- Speak to the security teams at both companies about existing policies, data, and processes. Your goal is to find commonalities, and how you can work to bring them together.
- Identify the critical assets of each company. Where will they be stored and how will they be managed under the new organization?
- Backup everything prior to the acquisition.
- Ensure you’ve put measures in place to increase monitoring, training, and tighten access controls during the transition.
- Perform an assessment of how the M&A will impact business continuity—your goal is to have as low an impact on continuity as possible and make the transition nearly seamless.
- Assign responsibility for managing the transition. Who on the board will be responsible for facilitating the deal? Who is responsible for bringing the IT systems together?
- Ensure your business has the security controls and IT capacity to manage the newly acquired data and infrastructure. Take measures to expand your IT department if it does not.
- Make sure your own security posture is strong and your own data is organized and clean.
- Give yourself a generous timeframe for the acquisition process. Your IT staff may need considerable time and effort to make your new infrastructure seamless and compliant.
An M&A can be a cybersecurity challenge. But that doesn’t mean you should be pulling out your hair. With proper research, planning, and knowledge, you can ensure the process will be smooth and seamless.
|Max Emelianov started HostForWeb in 2001. In his role as HostForWeb’s CEO, he focuses on teamwork and providing the best support for his customers while delivering cutting-edge web hosting services.|