May 26, 2016 By Larry Loeb 2 min read

When two organizations merge, participants may be focused on the operational challenges of integrating two different computer systems. While this is an important area of focus, there are other merger considerations that should be top of mind — namely, the systems’ security.

There are many factors to assess in this area, although many are not obvious. While each of the systems used by the businesses may function just fine by themselves, how they interact may cause unexpected security flaws.

Basic Merger Considerations

The due diligence necessary for a merger to succeed cannot be treated lightly. An audit team must go beyond simple checklists and dig into the specifics of the situation.

For example, a checklist security approach might ask whether certain data is encrypted, and a positive response would be satisfactory. A deeper audit will find out how it is encrypted, where the encryption starts and ends in the process and how it is verified operationally. The specifics of how things happen in a system is crucial to determining how things will function after the merger is complete.

Simply enumerating the risks that may be present in both systems is not enough. Those risks must be mitigated before the two networks are connected, but risks that may evolve after the fact must be considered as well. What is secure in separate systems may not be secure after the two are connected; the details and the specifics will matter a great deal.

The ways that each organization uses information should also be addressed. What is OK for one party may not pass muster with the other. This includes not just technology, but the culture regarding data use and security. Acceptable activities and access levels have to be compatible or there will be problems aplenty.

While a security audit is usually not a deal breaker, the actual costs of a merger can be directly affected by its findings. It’s always best to know what costs must be endured to complete a deal.

Don’t Forget Third-Party Contracts

Third-party contracts must also be examined. What services are now being provided? How will a merger affect them? Will the third-party SLA need to be renegotiated? Will the cost of the services change?

These and other similar points must be evaluated since they can directly affect the costs associated with the merger.

Personnel Can Be a Risk, Too

Personnel in administrative or sensitive positions that work with computer systems should have their credentials validated. A background check should also be performed to determine whether those employees pose a potential risk.

If the merger might involve laying off personnel with system access, the possibility of revenge or sabotage must be entertained. Upper-level management is responsible for preventing these actions from malicious insiders. They need to proactively mitigate any weak areas of security that could be exploited.

Look to the Past

Acquirers must learn whether there have been past breaches that were not made public. If so, what information was compromised? The acquiring company takes on responsibility for that data — and this may pose a significant cost, especially when dealing with personally identifiable information. Such situations may lead to costly lawsuits that occur post-merger.

Mergers can be fraught with problems. Thinking about cybersecurity from the beginning and through all steps helps avoid problems that might derail a positive outcome.

More from Risk Management

New Fakext malware targets Latin American banks

6 min read - This article was made possible thanks to contributions from Itzhak Chimino, Michael Gal and Liran Tiebloom. Browser extensions have become integral to our online experience. From productivity tools to entertainment add-ons, these small software modules offer customized features to suit individual preferences. Unfortunately, extensions can prove useful to malicious actors as well. Capitalizing on the favorable characteristics of an add-on, an attacker can leverage attributes like persistence, seamless installation, elevated privileges and unencrypted data exposure to distribute and operate banking…

Why federal agencies need a mission-centered cyber response

4 min read - Cybersecurity continues to be a top focus for government agencies with new cybersecurity requirements. Threats in recent years have crossed from the digital world to the physical and even involved critical infrastructure, such as the cyberattack on SolarWinds and the Colonial Pipeline ransomware attack. According to the IBM Cost of a Data Breach 2023 Report, a breach in the public sector, which includes government agencies, is up to $2.6 million from $2.07 million in 2022. Government agencies need to move…

Back to basics: Better security in the AI era

4 min read - The rise of artificial intelligence (AI), large language models (LLM) and IoT solutions has created a new security landscape. From generative AI tools that can be taught to create malicious code to the exploitation of connected devices as a way for attackers to move laterally across networks, enterprise IT teams find themselves constantly running to catch up. According to the Google Cloud Cybersecurity Forecast 2024 report, companies should anticipate a surge in attacks powered by generative AI tools and LLMs…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today