Mergers and Acquisitions: A Security Point of View

In today’s business environment, mergers and acquisitions occur on a regular basis. While many different organizational and cultural aspects are impacted by a merger or acquisition, one area that must not be overlooked is IT security. The owning company must be diligent in streamlining security processes and policies and ensuring enforcement from the beginning or they’ll have a long, hard road ahead of them. Here are some tips that I’ve implemented first hand to ensure a successful merger or acquisition from a security perspective.

Merger:

1. Things get real interesting when a merger occurs. When two companies undergo a merger there’s really no corporate owner and many times each entity ends up working in silos under a common name. Sometimes there is an uneasiness and one side views the other as a competitor, instead of as a partner. Strong communication between the companies must be a priority because the best chance for security success is to work together as team as opposed to in a vacuum – when you can teach your counterparts or learn from their solutions and/or processes.
2. A merger between companies will often end up bringing each organization’s systems and procedures together. If you’re not going to completely integrate the two networks, each company needs to be treated as a third party, with benefits. Allow access for only what needs to be given from a networking standpoint until policy and procedure can be streamlined for your protection. Defining a corporate baseline that pulls both networks under one policy and having visibility of that will be a key initiative.

Acquisition:

1. As the acquiring company, the information security department is put in the position of verifying the security posture of the acquired company. There are many steps to take in an acquisition, but the first, most important step is to perform a complete assessment of the infrastructure (physical and technical) and conduct a thorough review of their policy and procedure. During the review of the infrastructure you need to run over their entire network for vulnerabilities, patch levels, application and operating system versions and system/network configurations.
2. During this assessment information security should baseline what the acquisition will need to do in order to become part of the new corporate network. This remediating and verifying that the security systems are in place up to corporate standards. More specifically, this typically means reviewing firewall rulesets and/or ripping out the firewalls, IPS and other security systems from the acquisition’s network and putting in the corporate-approved systems.
3. The acquired company is now part of your network, and your policy and procedure is now theirs. With them being completely grafted into your network without your security culture you’re putting yourself at risk by having a rogue network in your organization. The newly purchased company might not have the security awareness training that you’re so diligently teaching your users, or they might have a very insecure network that leaves you at risk if integrated. Reviewing your security needs with them will explain why they need certain policy in place, such as regulatory requirements to which the parent company must adhere.When you’re on the other side of an acquisition it naturally feels like you’re being bullied into something against your will. What you need to understand is that this isn’t your network anymore, and that you now report to a higher entity. Engage with the technical team at the acquiring company to bring your network up to par with theirs, or change aspects of it to fit into their baseline.

Without taking the time and thought to integrate a new acquisition or merged companies into one corporate network will reap horrible consequences. There can’t be two networks or policies; everything needs to be integrated and seen as one to the new larger entity secure. There needs to be awareness of the new entity’s corporate defined policies and procedures. That means standardization of change control processes, compliance with internal configuration standards and ultimately adherence to the company’s overall security posture.