May 26, 2016 By Larry Loeb 2 min read

When two organizations merge, participants may be focused on the operational challenges of integrating two different computer systems. While this is an important area of focus, there are other merger considerations that should be top of mind — namely, the systems’ security.

There are many factors to assess in this area, although many are not obvious. While each of the systems used by the businesses may function just fine by themselves, how they interact may cause unexpected security flaws.

Basic Merger Considerations

The due diligence necessary for a merger to succeed cannot be treated lightly. An audit team must go beyond simple checklists and dig into the specifics of the situation.

For example, a checklist security approach might ask whether certain data is encrypted, and a positive response would be satisfactory. A deeper audit will find out how it is encrypted, where the encryption starts and ends in the process and how it is verified operationally. The specifics of how things happen in a system is crucial to determining how things will function after the merger is complete.

Simply enumerating the risks that may be present in both systems is not enough. Those risks must be mitigated before the two networks are connected, but risks that may evolve after the fact must be considered as well. What is secure in separate systems may not be secure after the two are connected; the details and the specifics will matter a great deal.

The ways that each organization uses information should also be addressed. What is OK for one party may not pass muster with the other. This includes not just technology, but the culture regarding data use and security. Acceptable activities and access levels have to be compatible or there will be problems aplenty.

While a security audit is usually not a deal breaker, the actual costs of a merger can be directly affected by its findings. It’s always best to know what costs must be endured to complete a deal.

Don’t Forget Third-Party Contracts

Third-party contracts must also be examined. What services are now being provided? How will a merger affect them? Will the third-party SLA need to be renegotiated? Will the cost of the services change?

These and other similar points must be evaluated since they can directly affect the costs associated with the merger.

Personnel Can Be a Risk, Too

Personnel in administrative or sensitive positions that work with computer systems should have their credentials validated. A background check should also be performed to determine whether those employees pose a potential risk.

If the merger might involve laying off personnel with system access, the possibility of revenge or sabotage must be entertained. Upper-level management is responsible for preventing these actions from malicious insiders. They need to proactively mitigate any weak areas of security that could be exploited.

Look to the Past

Acquirers must learn whether there have been past breaches that were not made public. If so, what information was compromised? The acquiring company takes on responsibility for that data — and this may pose a significant cost, especially when dealing with personally identifiable information. Such situations may lead to costly lawsuits that occur post-merger.

Mergers can be fraught with problems. Thinking about cybersecurity from the beginning and through all steps helps avoid problems that might derail a positive outcome.

More from Risk Management

Working in the security clearance world: How security clearances impact jobs

2 min read - We recently published an article about the importance of security clearances for roles across various sectors, particularly those associated with national security and defense.But obtaining a clearance is only part of the journey. Maintaining and potentially expanding your clearance over time requires continued diligence and adherence to stringent guidelines.This brief explainer discusses the duration of security clearances, the recurring processes involved in maintaining them and possibilities for expansion, as well as the economic benefits of these credentialed positions.Duration of security…

Remote access risks on the rise with CVE-2024-1708 and CVE-2024-1709

4 min read - On February 19, ConnectWise reported two vulnerabilities in its ScreenConnect product, CVE-2024-1708 and 1709. The first is an authentication bypass vulnerability, and the second is a path traversal vulnerability. Both made it possible for attackers to bypass authentication processes and execute remote code.While ConnectWise initially reported that the vulnerabilities had proof-of-concept but hadn’t been spotted in the wild, reports from customers quickly made it clear that hackers were actively exploring both flaws. As a result, the company created patches for…

Researchers develop malicious AI ‘worm’ targeting generative AI systems

2 min read - Researchers have created a new, never-seen-before kind of malware they call the "Morris II" worm, which uses popular AI services to spread itself, infect new systems and steal data. The name references the original Morris computer worm that wreaked havoc on the internet in 1988.The worm demonstrates the potential dangers of AI security threats and creates a new urgency around securing AI models.New worm utilizes adversarial self-replicating promptThe researchers from Cornell Tech, the Israel Institute of Technology and Intuit, used what’s…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today