Alterson said, “If an organization purchases or is merging with another one for efficiency or industry consolidation, it is more likely to have a higher risk profile for internal threats because there is more likelihood of layoffs, which creates this feeling of winners and losers.”
Whether it’s a disgruntled employee or a criminal targeting an enterprise, when companies join forces with another, they also combine their security threats. Alterson said, “In addition to acquiring the assets, they are also acquiring the risk profile. Often times different companies have different threat profiles. Especially if it is an Asian market or a new area.”
“The challenge for CISOs,” said Alterson, “Is that they might not have a full view onto threats in that particular market and might not have a full appreciation of the threats involved in that area and how to react to those threats.”
Mergers and acquisitions result in changes in strategies and operations that can also impact security. Alterson said, “One example is an organization that has been primarily involved in B2B operations and not consumer facing acquiring a unit that was more consumer facing.”
“As a result, that organization was acquiring different kinds of data such as personal information, credit card data, banking data that is often the target of a lot of mass distributed malicious code or identity feeds that a B2B wasn’t prepared to deal with before,”Alterson continued.
What they don’t know can hurt them, so enterprises need to understand the security risks involved in mergers and acquisitions.
Alterson said, “Sometimes organizations are buying a company for specific products or services. In those cases there should be deep dive that should include pen testing or application security testing. I would also recommend that organizations ask for a disclosure of past security breaches.”
That’s not a standard due diligence question you’ll get out of a finance person, said Alterson. But if security leaders aren’t part of the negotiating team, these types of questions need to come from the finance person, the CEO, or the legal representation.
Jonathan Thompson, founder and CEO, Rook Security, said, “One of the challenges is that the CISO is not involved early enough.” The security of the enterprise as well as the security of critical business transactions would benefit from companies widening their circle of trust to include the CSO or CISO in the early parts of M&A conversations.
Thompson said, “One of our global 500 clients is going through an international merger. They would frequently go to hotels to conduct meetings and would use the hotel Internet.” Because they were discretely conducting transactions, they were compromising the security of the enterprise by using unsecured WiFi.
When companies enter into mergers and acquisitions, it’s critical for both sides to understand the security policies and the ways in which they need to be intertwined into a new security architecture that protects critical data.
Sign up for Computerworld eNewsletters.