Overcoming the Four Biggest IT Security Risks in M&A

From people and organizations, to strategic alignment and governance, the complexity of M&As can be overwhelming. But more importantly, it can be a major security vulnerability for both companies coming together.

Today, the four biggest IT security risks in an M&A are:

1. Security postures. When you bring two organizations together that have different approaches to securing data, there’s a significant chance that you will create gaps. Prior to executing an M&A, organizations have a unique security profile and most likely secure their data differently. As you bring them together, you might create security holes that can be manipulated, jeopardizing the entire process. That said, rule number one in M&As is to never sacrifice your security posture. You need to have tight controls over how the two companies come together and share their data every step of the way. Knowledgeable security architects from each organization should be at the table very early in the engagement.
2. Data classification. It’s not uncommon for companies to classify their data differently, so establishing a common taxonomy of how data is regarded and classified is critical. For example, company A may classify its sensitive data as “classified/internal use only,” while company B may label those files “restricted.” These classifications are especially important in M&As because both companies need to ensure they apply the same controls to data in the same vertical. To make this possible, we have to understand both where the data exists and its significance, always ensuring that merging organizations arrive at a common method of classifying information.
3. Security technologies. Technology can be a major risk as it determines the efficacy of your controls. In M&As, it’s common to find duplication, but also gaps. You should ask: What are the security capabilities of each organization? Does one organization possess a higher maturity in a specific security domain or domains? How do we bring these strengths together in the best way to ensure a robust and effective security program? Do both organizations have intrusion prevention systems? Do they have security incident and event management (SIEM)?Equally, methodology is just as important in M&As as the technology itself. Ask yourself: Do we apply similar controls to similar systems and information? What is our BC/DR/IR strategy for these systems? Do both organizations provide access to the environment in the same way? A thorough review is in order to ensure that you have the right capabilities and processes for the necessary controls.
4. New risks. As two companies with different IT systems, capabilities and methodologies merge, new risks will arise that will require mitigation. This is especially important in compromise and compliance risk, as an M&A could open up one company to extra scrutiny due to regulations imposed on the other. A great example of this is PCI compliance—if the acquired company requires a PCI audit scope, the acquiring company not doing one could lead to a larger audit, and eventually, sanctions. A review of both organizations’ risk registers will be a good start, a thorough review with a holistic assessment is important.

Ultimately, it all comes down to priority.

IT leaders need to involve their security teams from day one and see to it that IT security is woven into every stage of the integration process. This means making sure each organization defines a process where they understand their risks and vulnerabilities, as well as the security controls at their disposal to mitigate them. 

Finally, re-evaluate and retest your controls every step of the way as the merger or acquisition progresses. Be prepared to make adjustments to ensure your security posture remains sound without creating new security headaches.