I have a friend who is an executive in a small to medium sized company that operates in the technology sector and has a great deal of intellectual property invested in their software. They are very good at what they do and have an international presence. We have spoken at length about their IT security posture and what precautions they have taken to safeguard their network and software. This company is now in the process of being acquired. While most of the work through this acquisition is likely to focus on employee retention and payouts, this is a perilous time for both companies. As soon as they issue the inevitable press release, threat actors will start probing their networks -if they are not already there- looking for vulnerabilities to get in.
We have seen time and again during mergers and acquisitions, little to no thought is given to network security. Things like connectivity, email servers, file shares, etc. are all given priority over installing the proper safeguards. Given the great number of unknowns when bringing two companies together, it is imperative to slow down and ask some basic questions:
- Have both networks gone through a breach assessment?
- Do both companies have documentation showing assets, approved software programs, network diagrams, change management processes and other policies?
- Is there a detailed and organized plan to bring the different networks online together?
- Have the CISO and the CRO/CRMO talked about the specific cyber risks involved?
This is not a simple, get our IT guys together and figure it out exercise. There are likely two different sets of policies and organizational cultures coming together. It will take time to sort out these differences and unify the organizations. This is the perfect time for both IT teams to identify security gaps in their networks.