Originally posted on October 14, 2020 @ 4:50 pm
In my professional career, I’ve seen several mergers and acquisitions from the inside. Whether it was from the acquiring company or acquired, as an individual contributor, manager or executive, each had one thing specifically in common: it was the most dangerous time for both organizations’ information and data. Long before any public announcement, there are a lot of moving parts to make the M&A happen, Leadership from both companies, IT professionals and security for both companies are directly involved. Then there are all the people unofficially “in the loop” who happen to be connected directly to the pulse of the companies. After the announcement, there are the usual suspects interested in the announcements, competitors, bankers, lawyers, etc. But in addition, to the legitimate and expected interested parties, hackers are paying attention to any changes to your organization.
Managing risk during M&A activities can be a full time job. There are many factors and motivations to consider, not to mention the rapidly changing environment as two different companies and cultures collide. Step usually taken to minimize or reassign risk are signing non-disclosure agreements (NDA), implementing corporate communication firewalls (not the network device), and insurance. There are many threats associated with an M&A, some external, other’s internal, some risks you’ll just have to accept, other’s you can take steps to mitigate or eliminate. In addition to mitigation, there are ways to significantly reduce certain internal risks associated with the M&A activity.
Internal threats are those within an organization, and can be looked at in two broad categories, unintentional and intentional. The intentional threats are no different than what might be included in a typical insider threat program and under normal operating procedures so I’ll not address them here. The unintentional threats primarily occur through poor or limited communications. The unique environment created by M&A makes your organization ripe for phishing and social engineering attacks. Generally, people are unsure of who’s in charge, who has organizational authority, and where responsibility lies. This uncertainty, creates an opportunity for attackers to use various attack vectors to compromise your new company.
Given the complexities, uncertainties and issues surrounding information security during an M&A, there are some practical solutions that can make a significant impact to these internal threats.
- Publish the high level corporate structure as soon as possible. The sooner your employees understand at least the high level structure, the faster they will understand who should have information and where corporate authorities lie.
- Establish a process for validating requests by the transition team and senior leadership. Any requests for PII, money transfers or other corporate decisions should be validated by multiple methods, E-mail, phone, face to face, etc. No single communication should trusted.
- NEVER use an e-mail or phone number that isn’t validated through the corporate Global Address List (GAL) or directory to provide any corporate data. A common practice is to request the victim to call the hacker on a different number to validate the request, giving the victim a false sense of security.
- Train your employees to question all visitors to your facilities, work with security to issue badges for all new employee’s immediately. It is too easy for an attacker to impersonate an employee of the partner company and wander around the new office, asking questions, getting printouts and files.
Remember, during M&A everyone is nervous, people worry about their jobs, they are trying to impress their new management or just save their jobs. This nervousness can lead to mistakes or major data breaches. Keep vigilant, communicate across the organization and establish rules to validate requests and you can avoid some of the most common pitfalls of data protection during a merger or acquisition.
Very sound advice. I especially love it when the folks in the know try to act like its business as usual when all hell is breaking loose. That’s usually when the pepto comes out. Also when the threat is the highest. Nice job on the post.
Thanks, I appreciate it.
Well said. If history has taught us anything, having well documented process and procedures from the beginning goes a long way to in preventing unnecessary confusion. It may also help in stopping unintentional internal threats. I can’t stress enough the need to have in place these processes and procedures from the beginning not after the fact. Enjoy reading your posts.