What is the biggest challenge for companies facing a merger and acquisition (M&A) from a security prospective?
M&A situations are one of the most sensitive times in the existence of a company. The risk to information assets during this time is increased by numerous factors such as different policies in effect, people, process inefficiencies, breakdowns in leadership and lax security controls. This kind of transitional period results in situations that can not only foster security breaches, but critically make them more difficult to detect. Any organization going through a merger or a sale must prepare for the transition by testing their business continuity plans, their incident response program and by verifying the security awareness level of their workforce.
Finally, a key aspect of such transitions is the inevitable turnover and its impact on internal security. Whether employees are disgruntled or simply feel that no one's watching, beefing up your security monitoring and reviewing employee agreements is an absolute must. Unfortunately, due to the numerous project and change management challenges involved, organizations and executives drop the ball on security on a regular basis. Part of the reason is that competent security consultants that offer this specific type of service are difficult to find. Look for a firm whose offerings include a standards-based approach to secure project management (SPM). What's your take on data security for these financial firms going out of business and being acquired?
The types of fire sales and mergers we are seeing in the financial industry are a cause for serious concern because so much personal and financial data is changing hands on such tight deadlines that mistakes are likely being made every day. Customers of such firms should enquire with their own institution about the nature and amount of their personally identifiable information being stored there. It is also important for clients of these firms to scrutinize bank statements on a monthly basis to identify any security issues as soon as they occur. The unfortunate reality is that in situations where organizations change in such fundamental ways, information assets, which represent the vast majority of the company's value, are the first to be misplaced or stolen. Whether that information is ever used for fraud or other unauthorized purposes is very difficult to determine going forward. I understand financial firms typically have stronger security than firms in other industries, but does security sometimes diminish in times of economic crisis at a firm?
Overall, corporate and information security do suffer during times when the economy forces this type of rapid change on company structure, ownership and operation. Unfortunately, resulting security and privacy breaches tend to affect the company's reputation and liability stance. With a proper framework of standardized controls, financial organizations have a strong chance of preventing, detecting and controlling potentially disastrous situations. How quickly can and should the acquiring company put its practices and policies in place during a merger or acquisition?
The acquiring company must communicate and deliver comprehensive education, documentation and guidelines well before the merger has taken place. Employees on both sides must be aware of policies, procedures, standards and guidelines early on to ensure a smooth transition. Human resources departments must look for gaps in liability and responsibility that would represent a security failure. Employees and management must know with a high degree of certainty what information they can take away and what information needs to be otherwise transitioned. Third-party organizations and consultants must be carefully managed to prevent information leaks and security breaches. I'm sure a gap analysis is also conducted. What should the acquiring company be looking for?
Gap analyses are conducted during the risk management part of the overall project as well as individually by each department involved in the transition. The key departments are those which make extensive use of information, such as IT, human resources, customer service and marketing. Any gaps in policy, awareness, monitoring and in particular, compliance standards are flagged and represent the basis of a project to securely transition information related processes and technology across organizational boundaries. Once a secure equilibrium is reached, the new organization can focus on managing their processes, enforcing policies and consistently monitoring its security posture. What are some best practices to ensure data integrity and security?
A mature information security management program is the only way to consistently and verifiably protect information. Fundamentally, every organization needs to adopt a data classification policy that will enable people, processes and technology to effectively handle corporate information. To adequately protect information, security professionals need to put in place a standardized framework of controls that covers all components of security: confidentiality, integrity and availability. Preventing access to sensitive information is never enough. Data requires preventive, detective, corrective and compensating controls to ensure that if anything ever happens, the breach can be analyzed, contained and remediated in the least amount of time.
The best practices to adopt are split between people, processes and technology: People must be trained, motivated and aware of external and internal threats in order to make the right decisions to protect data. Processes must be streamlined to ensure security while not reducing productivity and usability. Technology must be carefully configured and implemented to ensure that it's an effective security enabler rather than a hindrance. There is a fine line between security measures that help reduce and control the risk and others that negatively impact operations and invite users to bypass controls just to get their work done. Adequate security is difficult to implement, but once an organization reaches the right level of maturity, security measures will not only save time and money, but also contribute to improved credibility and efficiency.