[BreachExchange] IT Department and Security Considerations During a Merger

[Audrey McNeil]

https://tdwi.org/articles/2021/05/21/dwt-all-it-dept-and-security-considerations-during-merger.aspx

Due to COVID-19 restrictions, we saw a major decline in merger and
acquisitions (M&A) activity last year. However, M&A activity will likely
pick up again as restrictions on travel and in-person meetings subside.
Smaller companies may be more open to an acquisition to take advantage of
near-record high market valuations, and larger companies may ramp up M&A to
gain market share and accelerate growth.

Mergers are often very high profile and exciting transactions, but for them
to be successful, IT functions must be properly addressed, updated, and
secured.

Planning a Secure Merger

When mergers happen, the full IT function should perform the due diligence
necessary to ensure data security. Weak security results in theft of
valuable intellectual property, trade secrets, business strategies, and
personnel information. Not only are these damaging to the business, but
data breaches can also impact the valuation of an acquired company and
result in a reduced selling price, penalty fees, and lawsuits.

Detailed IT planning before closing the deal will help create a seamless
transition. Steps to prepare for the merger and ensure security include:

- Threat evaluation. Identify the company's cyber risks based on industry,
geography, partners, products, and services.
- Check hardware and software vulnerabilities. Take inventory, schedule
patches, and review digital asset management, cloud services, mobile
policies, application vulnerabilities, and data flows.
- Review data. Take a look at data privacy and security controls, including
how they pertain to the acquisition; also, review contractual obligations.

Transitioning to a Stronger, Safer IT Department

Key elements of a successful IT transition during a merger include tech
stack planning, security reviews, IT leadership planning, IT financial
management, and IT strategic alignment. By considering these IT levers, the
combined entity can have a secure IT strategy going forward.

Tech stack planning. When a company analyzes its business, it should
regularly evaluate the technology infrastructure and strategy. During a
merger, conducting this review is even more important. Initially there will
be many duplicate systems, and it will take time to select and migrate the
systems that will still be used. Many companies will rush to make changes
which may result in less oversight, weak points, and poor system
integration. It is crucial to allocate sufficient resources to create the
best structure.

IT leadership planning. During a merger, roles and reporting structures
tend to change. Staying aware of the human aspects can ensure morale stays
high during the merger transition so IT department performance remains
optimal. Management should clearly and fairly communicate new IT roles and
policies.

IT financial management. Complex organizations can have dozens or even
hundreds of IT software applications and systems. Companies face numerous
overlaps during and after a merger. Software license agreements, network
costs, various service agreements, and staff rationalization are all
significant areas to gain efficiencies through volume discounts and
consolidation. By using IT financial management tools, companies can track
their IT spend and identify major cost-saving opportunities.

Security planning. Security breaches often occur during major business
transitions. This can happen due to disgruntled employees, increased
attention on the companies due to press coverage of the merger, employee
distractions, and overwork -- as well as security gaps caused by changing
processes. For example, with the merger, numerous new employees are added
to the organization's charts, and many people are issued new logins and
access to systems. Transitioning employees are unfamiliar with IT
processes, and the helpdesk is bombarded by higher ticket volumes. All of
this can increase the likelihood of a successful IT breach. It is crucial
to remind the entire organization to stay vigilant about IT security before
and during the merger.

IT strategy alignment. The last element is more strategic. The companies'
leaders should ask what IT infrastructure and capabilities are required for
the organization to succeed. With the merger, the business may have new
product lines, new revenue models, and different office locations. They may
also have very different policies for work from home or bring your own
device, etc. Therefore, leadership should revisit and re-vision what is
required for IT to enable success for the merged company.

Ongoing Security Improvement

Companies must continue to test and improve their security systems and
protocols because, unfortunately, hackers also continue to evolve.
Sometimes the first hack is just the beginning. Hackers might enter via a
phishing attack and remove some information. They may then continue to
monitor harmlessly, waiting for the right time to conduct a more dangerous
theft of information or damage to systems.

An initial hack may also make the company more susceptible to future hacks
if logins or passwords are leaked on the dark web. It is impossible to know
exactly when one has prepared for hacks. Security leaders should continue
to check off security items from their list and speak with other experts to
improve their systems. The companies at greatest risk are those that are
not thinking about security every day.

It can be helpful to hire third-party security consultants to perform
regular security audits and penetration tests. Another set of eyes who
knows the best practices can help you identify and close threat vectors. It
is not inexpensive to hire these third parties, but it is much cheaper than
the costs of a severe breach.

Mergers cannot overlook the importance of transitioning valuable IT data
and systems to ensure due diligence and continued security. Successful
mergers require coordination, planning, and hands-on execution.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20210524/51341e59/attachment.html>