The Importance of IT Security in Your Merger Acquisition

In the business world, mergers and acquisitions are commonplace
as businesses combine, acquire, and enter various partnerships.
Mergers and Acquisitions (M&A) are filled with often very
complicated and complex processes to merge business processes,
management, and a whole slew of other aspects of combining two
businesses into a single logical entity.

In the modern business world before and after the acquisition, a
new concern with M&A activities is cybersecurity. What role
does cybersecurity play in today’s mergers and acquisitions of
businesses? Why is it becoming a tremendous concern?

Cybersecurity threats are growing in leaps and bounds

There is no question that cybersecurity risks and threats are
growing exponentially. A report from Cybersecurity
Ventures ^[1] estimated a ransomware
attack on businesses would happen every 11 seconds in 2021. Global
ransomware costs in 2021 would exceed $20 billion.

It seems there are constantly new reports of major ransomware
attacks, costing victims millions of dollars. Earlier this year,
the major ransomware attack on Colonial Pipeline resulted in
disruptions that caused fuel shortages all over the East Coast of
the United States. It helped to show that ransomware attacks on
critical service companies can lead to real-world consequences and
widespread disruption.

This world of extreme cybersecurity risks serves as the backdrop
for business acquisitions and mergers. A Garner report estimated
that 60% of organizations who were involved in M&A activities
consider cybersecurity as a critical factor in the overall process.
In addition, some 73% of businesses surveyed said that a technology
acquisition was the top priority for their M&A activity, and
62% agreed there was a significant cybersecurity risk by acquiring
new companies.

Risks associated with Mergers & Acquisitions

What risks are associated with mergers and acquisitions? There
are several that include but are not limited to the following:

Increased regulatory scrutiny
Inherited cybersecurity risks
Compromised accounts and passwords
Lost or damaged customer confidence
Data breaches in the acquired environment

Increased regulatory scrutiny

Compliance regulations, like cybersecurity, are growing more
complex and challenging for businesses. For example, regulators
scrutinize business deals, including mergers and acquisitions, to
help protect the growing emphasis on data sovereignty and data
privacy.

From a cybersecurity perspective, businesses that merge or
acquire other organizations must make sure data compliance is a top
priority to prevent fines for non-compliance.

Inherited cybersecurity risks

Companies must realize that even if they have a robust
cybersecurity posture for their organization, the security dynamic
can completely change with mergers and acquisitions. As a result,
they inherit the cybersecurity challenges and issues of the
acquired business.

The acquiring company inherits existing vulnerabilities,
standards, risks, and cybersecurity liability as they assume
control of the new business.

Compromised accounts and passwords

As was the case with the Colonial Pipeline hack in May 2021,
compromised account passwords are often the culprit behind major
data breaches and ransomware attacks. As a result, businesses must
understand securing acquired accounts and directory services
immediately and implementing breached password protection is a
priority.

Scanning the newly acquired environment for password
vulnerabilities, reused passwords, breached passwords, and other
password threats can help to quickly bolster the cybersecurity
stance of the acquired user account assets.

Businesses that have combined due to a merger or acquisition may
federate Active Directory accounts between them to access various
resources. Password synchronization between on-premises and cloud
directory services may also be in play. It further emphasizes the
need to strengthen password security as accounts are granted access
to additional business-critical resources.

Lost or damaged customer confidence

Businesses must take care of any merger or acquisition from a
customer perspective. Any misstep, including handling cybersecurity
during an acquisition or merger, can lead to customer mistrust and
lost business.

Data breaches in the acquired environment

As mentioned earlier, the acquiring company that has merged or
acquired another company inherits the cybersecurity challenges and
risks of the newly acquired environment. These risks include any
potential data breaches. Knowledge of a data breach event can even
stall or block a potential merger or acquisition once known. Data
breach events can also go undisclosed to prevent any issues with
the merger or acquisition.

Cybersecurity and compliance checklist for M&A

Form an M&A cybersecurity team
Review the target business cybersecurity posture
Inventory all physical, digital, and data assets of the target
organization
Revisit the risk assessment
Engage a third-party security company

1 — Form an M&A cybersecurity team

Businesses often have excellent reasons for engaging in M&A
activity. However, as discussed thus far, it can lead to additional
cybersecurity risks. Forming an M&A cybersecurity team is a
great idea to accelerate addressing the cybersecurity tasks
involved with the M&A. This team may report to the CIO and
should undoubtedly include cybersecurity leaders found on the
security teams and key business leaders within the
organization.

This team will be directly responsible for formalizing the
reporting structure for addressing the cybersecurity risks
discovered with the M&A activity. The team will also help to
align the overall business on both sides for a consistent
cybersecurity posture.

2 — Review the target business cybersecurity posture

The M&A cybersecurity team mentioned above will be
instrumental in reviewing the target business cybersecurity
posture. The review of the target organization’s cybersecurity
landscape should include:

A cybersecurity risk assessment
Review of security policies and procedures
Recent audit reports
Any breach reports that have happened recently or in years
past
Audit of accounts and account access permissions across the
organization

3 — Inventory all physical, digital, and data assets of the
target organization

To properly understand the cybersecurity risk involved with an
M&A of another organization, businesses must understand the
complete inventory of all physical, digital, and data assets.
Understanding and having a comprehensive inventory of these items
allow full disclosure of the cybersecurity risks involved.

4 — Revisit the risk assessment

Any M&A activity means an organization needs to revisit its
risk assessment. Even a recent risk assessment has now changed due
to the reasons we have already covered (inherited cybersecurity
risk, any security or compliance challenges, etc.).

5 — Engage a third-party security company

The M&A cybersecurity team may include a wide range of
technical expertise with a wealth of experience in many
cybersecurity disciplines. However, even with talented team
members, organizations may opt to engage a third-party security
company with the technical and staffing resources to help with
cybersecurity discovery, remediation, combining security resources,
and many other tasks.

Quickly manage M&A password security during

Password and account security can be challenging to manage and
secure during a merger or acquisition of multiple companies.
Specops Password Policy ^[2]
provides organizations with tools to secure their native Active
Directory infrastructure and any other directory services they may
manage.

One of the blind spots with any merger or acquisition can be
weak, reused, or even breached passwords lurking as a hidden
cybersecurity threat. Specops Password Policy provides Breached
Password Protection that provides continuous scanning and alerting
of any breached accounts found in the environment.

Organizations can quickly remediate any lax password policies
found in the target organization with Specops Password Policy. It
provides the following features:

Multiple custom dictionary lists
Breached Password Protection, protecting against over 2 billion
breached passwords. This protection includes passwords found on
known breached lists as well as passwords being used in attacks
happening right now
Easily find and remove compromised passwords in your
environment
Informative end-user client messaging that is intuitive during
password changes
Real-time, dynamic feedback at password change with the Specops
Authentication client
Length-based password expiration
Customizable email notifications
Block user names, display names, specific words, consecutive
characters, incremental passwords, and reusing a part of the
current password
GPO-driven targeting for any GPO level, computer, user, or
group population
Passphrase support
Over 25 languages supported
Use Regular Expressions for further password filter
customization

Specops Password Policy Breached password protection

By bolstering password security in target environments,
businesses can protect mergers and acquisitions from one of the
most common vulnerabilities leading to compromise. Learn more about
or start a free trial of Specops Password
Policy tools with Breached Password Protection ^[3].

References

^{^}
report
from Cybersecurity Ventures
(cybersecurityventures.com)
^{^}
Specops
Password Policy (specopssoft.com)
^{^}
start a
free trial of Specops Password Policy tools with Breached Password
Protection (specopssoft.com)