Light Dark
August 2, 2017 By Kelly Ryver 3 min read
Risk Management

With all the industry studies, articles and literature related to insider threats, it is baffling to see that very few have focused on how insider threats are acquired — in fact, paid for — during a merger and acquisition process. Organizations are so fixated on driving profits and staying competitive that they gobble up any tangible asset they can. Companies are more likely to begin a merger or acquisition first and worry about the insider threat risk later. This is not a sustainable business practice.

To compound the problem, too many companies are using risk management as a substitute for solid internal security audits that identify problems before the merger or acquisition is initiated. Businesses assume they can manage any risks they might encounter after the merger or acquisition is complete, so they proceed to buy, assimilate and then sell off various parts. These organizations give little, if any, thought to the information security program and controls — specifically, whether the target of the merger or acquisition has those controls at all, and if they do, how effective they are.

Some Food for Thought

Information security consultants with risk management expertise commonly see one of the following two scenarios today, if not both within one environment.

Scenario One

Company A spends years gobbling up smaller companies in an effort to stay competitive and boost profits. Some of these companies are integrated, while others are resold to someone else. Over the course of these acquisitions, a federal government or regulatory audit is completed to determine fiscal liabilities, financial stability, financial solvency, etc. At the conclusion of the audit, Company A is informed that it has failed due to lack of:

  • A defined process for managing the full spectrum of information security responsibilities;
  • Standards;
  • Policies;
  • Procedures;
  • Governance; and
  • A fully defined risk assessment process that leads to a risk management process.

Finally, the company is informed that it must get its regulatory act together within a specified period of time.

Scenario Two

Company A undergoes an independent information security audit as part of its annual or biannual requirement for staying operational or reporting up to a regulatory authority. The company fails the independent audit due to lack of one or more of the following:

  • An information security program (top to bottom);
  • A fully defined risk assessment process that leads to a risk management process;
  • Standards;
  • Policies;
  • Procedures;
  • Governance;
  • Security controls; and
  • Defined roles and responsibilities within the environment.

For both of these scenarios, Company A ends up scrambling to find one or more information security firms that can provide experts in various fields to sort out the big mess, a process that could take up to five years. Meanwhile, insider threats are lurking in the network.

The Big Picture

Many companies don’t realize that it is possible — and much easier — to conduct independent audits when merging with or acquiring another organization. It’s just like buying a new home: Individuals should always have the property inspected before singing on the dotted line.

Another point that companies often miss is that a risk assessment process must exist before a risk management program can be implemented. Too many organizations try to manage risk without knowing what to look at, what to look for, how to rate it, how to apply metrics or which metrics make sense.

But risk management is no substitute for good information security practices. Do not bypass building an information security program in favor of accepting or mitigating every risk that will rear its head.

Finally, it is much easier to build the entire information security program from the top-down (or bottom-up) the right way the first time. The alternative is to piecemeal it, fail a first audit, take a step back to fix one issue, piecemeal some more, fail a second audit, take another step backward and so on.

Practical Advice for Spotting Insider Threats

Companies should follow a few best practices when considering merging with or acquiring another organization. Begin by taking a long, objective look at what is being acquired and why. Ask yourself what an insider would potentially stand to gain by compromising the network.

Next, examine all the security controls in place using an expert or team of experts. Investigate the individuals that will most likely be assimilated into the new environment, and never assume that routine or annual background checks were done or done the right way.

Be very suspicious of any company that mysteriously pops up and offers to perform an internal audit, especially using automated tools. Insider threats have friends just like the rest of us. Also, be wary of any and all hardware or data that vanishes or becomes lost during a merger or acquisition. Such cases warrant a thorough investigation.

Finally, hire a third-party risk assessment firm to examine the environment before the merger is started. Do the same before the transaction is complete, money has exchanged hands and all parties have signed on the dotted line.

Listen to the podcast series: Take Back Control of Your Cybersecurity Now

 |  |  |  | 
Kelly Ryver
Management and Strategy Consultant, IBM

More from Risk Management
April 24, 2024

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

April 17, 2024

What should Security Operations teams take away from the IBM X-Force 2024 Threat Intelligence Index?

3 min read - The IBM X-Force 2024 Threat Intelligence Index has been released. The headlines are in and among them are the fact that a global identity crisis is emerging. X-Force noted a 71% increase year-to-year in attacks using valid credentials.In this blog post, I’ll explore three cybersecurity recommendations from the Threat Intelligence Index, and define a checklist your Security Operations Center (SOC) should consider as you help your organization manage identity risk.The report identified six action items:Remove identity silosReduce the risk of…

April 16, 2024

Obtaining security clearance: Hurdles and requirements

3 min read - As security moves closer to the top of the operational priority list for private and public organizations, needing to obtain a security clearance for jobs is more commonplace. Security clearance is a prerequisite for a wide range of roles, especially those related to national security and defense.Obtaining that clearance, however, is far from simple. The process often involves scrutinizing one’s background, financial history and even personal character. Let’s briefly explore some of the hurdles, expectations and requirements of obtaining a…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature