James Thew - Fotolia

Manage Learn to apply best practices and optimize your operations.

The merger and acquisition process: How can organizations stay secure?

Organizations dealing with the complicated merger and acquisition process can't forget about security. Unfortunately, security presents a whole new set of obstacles.

Enterprises going through mergers and acquisitions typically face many security threats and need to shift security programs to fit the new layout of the company. How should companies handle transitioning security programs during the merger and acquisition process? What are some of the biggest obstacles during these kinds of transitions?

The business culture of a company and its management is the single biggest impact on whether a business will be successful in a merger or acquisition. Whether it is a merger of two equals or a company acquiring another, executive management needs to understand the commonalities and differences to ensure a smooth transition. Typically, the CISO is not involved in the final merger and acquisition transaction. The CISO is informed of the event and asked to propose a merger and acquisition process that would maintain adequate protection of both entities' mission critical applications, hardware components, customer data and intellectual property.

Assuming the merger and acquisition companies are in the same industry, there are probably commonalities in products and services. What may differ are operational processes, market, protection schemes, IT platforms, database technologies, use of managed services, in-house and colocation data center sites, IT organizational structures, information security staff skill sets, cybersecurity tools and monitoring systems, access control software and network topologies. Additionally, IT, operations, development and information security support staff relations may be a mixed bag of cooperation, silos and opposing viewpoints.

Companies can integrate IT environments several ways during the merger and acquisition process. One way is to pick up and move. The acquired company is basically integrated into the acquiring company's IT environment and made to fit. The second approach is to take the best aspects of the two IT environments and blend them together. This takes a significant amount of time to realize. The third option is to run the two IT environments in parallel with phased integration.

In all three approaches, information security needs to do the following:

  • Use each company's IT risk assessments to identify mission critical systems, applications and network environments;
  • Review each company's business impact assessments to determine what business units are greatly affected if IT environments, applications and system are not available;
  • Obtain a full inventory of all hardware, network devices, system software, applications, users, end-point devices and mobile devices for both companies;
  • Obtain a full inventory and locations of personally identifiable information, intellectual property, PCI DSS and HIPAA data whether structured data, unstructured data or backups;
  • Perform a vulnerability assessment on each high risk IT environment and ensure systems are hardened before the conversion;
  • Determine if there are morale issues among employees from possible layoffs or terminations that would require close monitoring of suspect individuals;
  • Work with the IT department to coordinate schedules for integrated systems and ensure protection schemes remain intact before, during and after migration; and
  • Ensure there is a backout plan so if protection constructs are changed by IT, strong monitoring controls are in place to detect unauthorized access.

The key to a successful merger and acquisition process is to ensure all mission critical systems and data is protected at all times. Monitoring systems such as SIEMs, log servers, IPS/IDS, antivirus, antimalware, DLP, Web application firewalls and authentication systems are working properly. Alerts should include network anomalies, privileged account activity, critical data movements detected by DLP, access violations and changes to access authorizations. The CISO should be embedded in the merger and acquisition planning to ensure protection schemes of critical systems are integrated into the merger and acquisition process.

Ask the Expert:
Have questions about enterprise security? Send them via email today. (All questions are anonymous.)

Next Steps

Learn the five pitfalls organizations fall into during the M&A process

Discover how to survive the merger and acquisition process securely

Check out this merger integration checklist for managing security

This was last published in May 2016

Dig Deeper on Information Security Incident Response-Information