How To Mitigate The IT Security Risks Of M&A
Mergers and Acquisitions (M&A) are hard to ignore in the reality of the business world. It is a time filled with back and forth negotiations, strategising, guessing and second-guessing your instincts. Traditionally, the deal would become final and irrevocable with the signing of contracts. A formal shake of hands would then pass the control from one to the other. If you look closer, the transition period would be full of chaos and hiccups.
Data security too would not be handled as well as it should have been. Thanks to new and improved laws and advanced technology, a lot of streamlining has occurred in the M&A procedures. In spite of that, one thing that still remains critical and more so due to its sensitivity is “IT security”. The associated IT security risks of M&A can sour the entire deal.
What is the Challenge?
M&A activities is not a normal days work. These are carried out for months before things can be finalised. During this time of analysis and negotiations, sensitive data is in the hands of third parties at many times. Also, limited inside access is given to them so that they can perform their job post haste and with due diligence. When paired with lax security this is the time when most proprietary information falls in the wrong hands. A perpetual threat from hackers does not make the job any easier either. The significant risk of data exposure and theft becomes more prominent during M&A.
The Different IT Security Aspects
The different aspects of security that must be considered during M&A are -
1. Physical Location security - first and foremost the place to secure is the actual premise itself where the IT assets are located. Once that is done, employees access to the location has to be looked into.
2. Data Security - Next comes securing all the electronic and physical data. This could include employees, clients, contracts, financials, and legal documents. Backups should also be secured and recovery procedures carefully analysed to check for possible leaks.
3. Software Security - Any new or old application or software should be checked for viruses and trojans. This can be done by application penetration testing for both desktops and mobiles.
4. Network Security - This would include the security of routers, firewalls, analysing access points, and web servers during the integration of workstations and all such network devices.
5. Architectural Design Flaw Analysis - This would relate to finding any flaws in the design models and technology stacks which could result in potential security threats.
6. IT Compliance - Adopting policies which would guarantee application and tools compliance is something you need to make sure of. If separate policies are being used it could cause chaos to the IT security.
Mitigating the IT risk of M&A is not impossible. The only thing it requires is stringent controls and hard work. In order to protect the IT assets and close all possible loopholes here are a few things you can do (trust me, they’ll make your job and life a lot smoother) -
1. Review All Third-parties - There are multiple third parties involved in a merger and acquisition. These would typically involve an independent auditing firm, one or more law firms, some investment banks, a couple of advisory firms and the counterparty itself.
Sensitive data within them exchanges hands multiple times. If the party itself is corrupt or if they don’t have ample IT security your data could fall into the wrong hands with ease. A review of all the third parties will give you a chance to access their reputation as well as security measures they have in place. If you are not satisfied with their security you could ask them to upgrade it or look for a more secure partner.
2. Control Access - Giving admin privileges to data is not a good decision. Access should be given only on a need to know basis and then too it can be further restricted by making it a “read only” access. Permissions should not be given to allow the third party to make any copies of it.
All the information should be viewable on screen if possible. In case of any hard copies, they should be destroyed as soon as they solve their purpose. Also, at every stage of M&A, all the data is not required. You should refrain from putting everything on the figurative table at once.
A good solution is to have multi-tiered document access. As the deal moves forward, greater access can be provided. However, if the deal does fall flat at any time you will know which information the third-parties had.
3. Assessment Of Vendor Tools - Vendors come onboard with their own set of software tools. These tools are mostly used for analysis, assessment and drawing up comprehensive reports. It is quite possible that one or more tools used by the vendor are already infected with malware. The risk of this malware passing down into your own systems and network devices is quite high. An assessment of vendor tools will give you a chance to mitigate any associated risk.
4. Monitor internet - As soon as the news of a merger or acquisition hits the newsstands, you will see a rise in the number of fake accounts that are set up using either the company name or those of its employees. Not only that, but the darknet also gets buzzing. For hackers, this is the prime playground where they drop tidbits of information regarding the possibility of an unethical entry into the company servers. At such a point, it is necessary to keep track of all internet activity that mentions you as the buyer or the company which is being acquired. All fake accounts in the name of the company itself and its employees should be reported immediately and deleted. There will also be a noticeable rise in social media activity mentioning your company time and again. All news which is unjust and false should be immediately addressed because this could lead to the downfall of a possible deal.
5. Review Target Firm Security - Security measures being used by the counterparty are also of major concern. You can’t just assume that everything is as it should ideally be. For all you may know, they could have let their security become lax in the aftermath of the M&A announcement. Before anything else, ask your security experts to review the security measures in place at the target firm and how they could be further strengthened if necessary.
The heart of the matter is that firms involved in M&A should do so only after thoughtful consideration. Then too, adhering to secure SDLC, assessment of all tools used by the vendors, architectural risk analysis, assessment of security at physical locations, and application penetration will mitigate the IT security risks of M&A.