Enterprises going through mergers and acquisitions reap the benefits of new products and other assets, but they also acquire all of the threat vectors that have been targeting the other organization. In addition, new internal threats can arise as employees often fear job security when they learn of M&A deals.
2015 has been a year of abundant changes for many enterprises from private equity firms to telco companies.
Trustwave, which announced the completion of its acquisition by Singapore Telecommunications Limited (Singtel) in late August, had itself acquired many companies in the past.
Steve Kelley, senior vice president of product and corporate marketing at Trustwave, said, “From an M&A perspective, I’ve never seen the industry as hot as it is today. One of the key reasons is that security has gone from being an IT risk to really a business risk, and that is what is driving a lot of the M&A activity.”
Businesses are beginning to understand that despite increased risks and growing threat vectors there is no perfect security. Kelley said, “We see risks shifting from IT to business risks. Irrespective of M&A, the greatest concern is data security. An attack on a company is not going to cause issue until some type of data is compromised.”
The goal of many mergers and acquisitions, Kelley said, “Is protecting organizations against sensitive data loss, whether it’s credit card data, customer data, or intellectual property.”
Enterprises around the world and across industries have been engaging in mergers and acquisitions in pursuit of growth and development, but they have also had to deal with unexpected security concerns.
James Robinson, director, risk and threat management, Optiv said, “It’s important to break a merger down into a couple different pieces.” Doing due diligence before engaging in conversations means asking the right questions.
Robinson said, “Companies should be asking, ‘What is their security program? How do they operate? Is it a good program or a security facade?’” These questions should be at the forefront of any acquisition conversation in order to avoid issues after a deal has closed.
When investigating the security program of an enterprise they might acquire, “Companies should be looking at the way that the operations exist, the documentation they have, their implemented policies and procedures, whether they have gone through their own certification process, and whether they’ve been validate by a third party,” said Robinson.
Knowing the difference between a good security program and a facade will help the acquiring company to identify the wrinkles and gaps in security. “If there is no security leader, no updated procedures, or they don’t have a program that is all encompassing, these are leading indicators that it’s more of a risk,” said Robinson.
Sign up for CIO Asia eNewsletters.