How to keep IT security at the forefront during a merger

M&A can be mean acquiring the other company's security problems.

01 two one safely

1. Let two become one—safely

Stephen Boyer, CTO and co-founder of BitSight, knows one of the biggest threats to your company's tech security: the possibility that it might buy another company. He points to a survey from West Monroe Partners that found that 40% of acquiring companies discovered a cybersecurity problem in an acquired company—after a deal went through. It probably shouldn't be surprising that, in a 2014 survey from Freshfields Bruckhaus Deringer, a staggering 78% of respondents said cybersecurity is not analyzed in-depth as part of due diligence in an acquisition.

If you're working for a company that's acquiring—or being acquired—how can you avoid falling into this trap? A host of security pros gave us advice on what to do keep things locked down before, during, and after an acquisition.

02 planning

2. Start planning early

Sam Curry is CSO and CTO of Arbor Networks, which was acquired by NetScout last year. The companies were already focused on security, so naturally they did things thoroughly: even before the event, top security pros within the companies formed, as he put it, "a security council, where we could get to know each other and discuss risk inherent to the acquisition."

F. John Bullard, vice president of engineering at Distil Networks, urges you to establish a shared plan, and quickly. "There are many areas that need exploration and time will be short," he says. "Pull together an itinerary with scheduled blocks for each task, and share it with the acquiree ahead of time. This will help both sides complete tasks that can be done remotely and focus on high-value conversations while on-site."

03 public info

3. Public info can be your friend

You won't get inside information about a merger company early in the process—but you also won't need it to get started. "Public records, internet searches, threat reputation database searches, and social media research are valuable tools in identifying possible security weaknesses or evidence of previous security issues with an acquired company," says Dale Drew, CSO at Level 3 Communications. "Often, there will be a court filing, SEC filing, or public social media discussion on a major security breach, or weakness."

BitSight's Boyer urges you to take a look at a company's security ratings from reputable agencies, which "examine the historical execution of an organization and highlight control gaps or weaknesses in the target's infosec programs over time."

04 documentation

4. Merger documentation can itself be a target

The delicate nature of a merger explanation means that information about the merger itself may become a target for hacks, so you need to have a specific security plan for that data. "You must be able to know where your merger documents are located," says Kevin Cunningham, president and founder of SailPoint. "Who has access to them? Are they overexposed? You also need to know who is accessing the documents and if that access is legitimate."

Ron Heinz, managing partner at SignalPeak Ventures, adds, "Providing diligence materials and, access to systems is a tricky balancing act, especially when merger partners can be competitors. Pre-closing, it's helpful to assign oversight to a team monitoring the sharing of information to ensure confidential documents and systems are safeguarded."

05 questions

5. Ask specific questions

Dave Wagner, CEO of ZixCorp, recommends asking for some specific information to get a sense of how a potential merger partner has conducted itself in the past:

  • How does the company educate and train its employees and partners about company policies, email security risks, and necessary measures to mitigate risk?
  • Have directors and c-level executives participated in data security training? Have they been involved in the development of data security procedures?
  • Have you suffered thefts of confidential data?
  • If so, what have you done to combat them moving forward?

This, he says, "will help buyers understand the type of sensitive information the other company holds, how it's protected, and what protection changes will need to implemented."

06 visibility

6. Get maximum visibility before the merger

The goal with these questions is to assemble a complete view into both networks' pre-merger state. "When the networks are linked without a DMZ, any malware will begin its lateral movement," says Paul Kraus, CEO of Eastwind Networks. "So knowing the separate networks' behaviors will facilitate the understanding of what a combined network should look like. "

"Being armed with this data before the merger process is helpful to solicit feedback, internal documentation, and investment information on what has been put in place to correct any of the issues discovered," says Level 3 Communications' Drew. "Often, you may uncover an issue that the to-be-acquired company hasn't discovered yet, which will directly inform how much caution needs to be considered for the merger process."

07 companies

7. More companies, more problems

Keep in mind that a merger is a logistically and legally complex process that involves much more than just the two companies that are combining. "We are talking about the bankers, lawyers, suppliers, contractors, subcontractors, etc. that are now involved in both sides of the deal," says Eastwind's Kraus. "You can see how quickly a merger of two corporate entities quickly becomes a merger of two corporate ecosystems. You don't just merge the people, assets, cultures and customers; you inherit their breaches as well."

08 trouble

8. Acquired companies may be in trouble

While the press releases may tout a merger of equals, the truth is that many companies offer themselves up for sale precisely because they've been in financial and logistical distress—and that can translate into internal dysfunction. "Often, the acquired company is 'distressed,' meaning that they may not have had the opportunity to keep up with investment in critical and necessary areas," says Level 3 Communications' Drew. "This can lead to the discovery of poor practices, out-of-date and exposed assets, and lack of coverage or visibility of company assets from a security perspective."

09 breaches

9. An acquired company may come with breaches already baked in

Why focus so much on pre-merger security? The experts we spoke to gave multiple specific examples of the M&A nightmare scenario: a company with good cybersecurity acquiring another company that's already been breached. Eastwind's Kraus mentions a case he dealt with where "the acquired firm injected malware into the source code pipeline of the acquirer. This injection was not known for about a year—but once known, the damage was done. Source code was stolen, the product was compromised, and the company's reputation was tarnished."

BitSight's Boyer points to a very public case where this was narrowly avoided. "Samsung bought LoopPay for $250 million as a key component for its mobile payment system," he says. "LoopPay suffered a breach months before Samsung purchased the company, but the breach was only discovered one month before the transaction completed."

10 meticulously

10. Meticulously document everything in advance

Larry Larmeu, managing director at L2 Digital, saw a lack of documentation wreak havoc in a merger he worked on. "A lot of the unexpected problems were related to one of the sides not having much of their network documented," he said. "They had no standards for any of their technology processes, even down to granting permissions to resources. When it came time to do the merger, nothing worked as planned because none of the planning and testing we had done in the lab environment could simulate the lack of homogeneity in their network."

11 automate

11. Automate your processes

You need to figure out who ought to have access to what data in your newly merged company, and to do that, automated processes are key. "You must be able to create the roles, policies, and procedures necessary and have those rules put into effect without needing to go through one-by-one to change and manage permissions," says SailPoint's Cunningham.

Coming up with a unified set of security policies can be aided by automated tools as well. Michael Callahan, vice president at FireMon, points out that, as mergers invariably involve combining multiple vendors and legacy policies, "native management tools won't give the complete view necessary, so you should establish and enforce new best practices via a third-party management platform. A third-party tool with automated analysis will give you the picture you need to ensure secure access is maintained."

12 incharge

12. Figure out who's in charge of what

Remember, much of cybersecurity revolves around control to resources—and people with power and control don't give it up easily, even as the organization shifts around them. "Having a good asset inventory that shows who has access to what—especially for administrators—is something I have commonly seen missed until it's too late," says J. Nathan Wenzler, principal security architect at AsTech Consulting. "You end up with admins who hold their fiefdom hostage and won't relinquish credentials—or even tell anyone their systems exist. Get an inventory for everything and then figure out who has access to all of it in order to bring everything under a merged domain structure more easily."

Iain Paterson, managing director at Cycura, recommends using a "privileged account management solution to see who has the keys to the kingdom."

13 oldway

13. Watch out for people trying to do things the old way

It's not just admins who will fight to keep old, pre-merger practices in place. Former global CISO J.R. Reagan, who dealt with several mergers as a consultant, points out that many ordinary users will also want to maintain longstanding insecure practices, whether out of convenience or sheer inertia. "We would train users in the acquired company almost as if they were new hires," he says. "Acquired employees might try to do things the old way and skirt some rules—using third-party file sharing that wasn't approved, for example. But we had controls in place to prevent this from occurring even if employees tried to access the banned services."

14 lockdown

14. Lock down systems even if you're going to get rid of them soon

Your merger IT plan probably involves consolidating systems and eventually putting some out to pasture. But that may take longer than you think, and you need to make sure the security of the systems you plan to dump isn't neglected. Exabeam CMO Rick Caccia offers a harrowing tale from a merger he was involved in: "A sales rep who had left a company right before it was acquired never had his access to the sales management system turned off. For more than three months, he was able to see every deal the sales force was working on. The acquirer didn't pay much attention to the sales system, since it would eventually be turned off. We lost multiple deals, worth millions, until the system was finally killed."

15 stopgap

15. Stopgap measures may be necessary

While management's instincts may be to combine the merged companies' networks as quickly as possible, don't outrun your ability to keep those networks secure. An intermediary period in which the two networks operate in parallel may be necessary, and you can take steps to make that period less awkward. "Temporary access to resources can be provided in ways that don't fully expose both networks to each other while still allowing work to occur," says Cycura's Paterson. "Some common methods of doing this are federation of controlled user groups, along with allowing access to resources via Citrix, RDP, or other remote technologies."

16 human

16. Don't neglect the human factor

Distil's Bullard suggests you hold what he calls a "culture crash course" for staff of the newly merged company. "This is very important, as most integrations fail due to cultural differences rather than technical issues. Share experiences that encapsulate the core principles of your company—do you have alignment?"

Remember too that a merger is a time of great stress and uncertainty for many at both companies. "Some employees may be disgruntled, fear their jobs will be made obsolete, or are slated for head-count reduction," says Cycura's Paterson. "Monitoring privileged account use is one of the easier ways to identify these threats."

17 braindrain

17. Watch out for a security brain drain

Post-merger personnel shifts can be particularly hard on security, where institutional memory is important in piecing a secure post-merger network together, so take steps to prevent an exodus. According to Mike Patterson, vice president of Strategy at Rook Security, that means making "every effort for an even integration of individuals in a post-merger team" to prevent a brain drain. "A merger that merely stocks the top roles with the acquiring company will see talent flee from the acquired side and provide little continuity in security operations for a sizeable piece of the new enterprise," he says.

18 tools

18. Use the opportunity to pick the best tools

Karthik Swarnam, CIO of DirecTV, said that when his company was acquired by AT&T in 2015, IT staff had to "eliminate overlap in our systems, and determine the best policies and tools within each organization to implement the appropriate ones across the company." He says this gave them the opportunity "to explore newer security approaches broadly across AT&T while working to help secure DirecTV assets. We can share creativity, operational synergies, etc."

19 plans

19. The best laid plans of mice, men, and mergers

Finally, remember that you'll need to stay flexible: you can (and should) plan as much as you can at the start, but you may find yourself needing to improvise as the merger process advances. "After companies are combined, lots of things can change," says Rook Security's Patterson. "Executives who may serve as the lynchpin of the strategy may be jettisoned or leave for other opportunities, requiring a new approach. Despite the best pre-merger intentions, there tends to be an integration period after which companies will re-evaluate what their security strategy is going to be."

Copyright © 2016 IDG Communications, Inc.

Related Slideshows