While these glitches might be risky, they are not necessarily deal breakers as much as they are negotiation points. Being informed about the security programs of the acquiring company or company being acquired can help to mitigate some risks, but as enterprises work through the M&A process, new and unexpected threats may arise.
Robinson said, “Going into the next stages of M&A you are introducing more risk to the work force which could result in an internal adversary who isn’t in support of the acquisition.” Security leaders usually are not part of these discussions, but Robinson suggested that they should be to the extent that it is possible.
Again, due diligence means looking at every potential risk, so knowing the normal attrition rate of the other company will help a security team focus on the potential of internal threats once the word gets out.
According to Robinson, a top concern for executives post-merger is over-communication. “Keep in mind that employees are not always going to feel as excited about a corporate deal as the executives. The goal for the security team is to reduce the amount of internal threats you have,” said Robinson.
Assessing security risks in M&A
Mergers and acquisitions can pose unforeseen risks to the security of an enterprise.
Here are five things IT professionals and corporate executives can do to keep security top of mind and data protected as they advance through the stages of M&As.
- Understand how the M&A will impact corporate culture and business values. Anticipating changes in culture means planning for how to deal with those changes, which will help to minimize internal threats.
- Rely on third-party assistance to work through the process. Sometimes it is possible to include an internal security professional in the early stages of M&A discussions, but if that’s not possible, use a third party.
- Use M&A counsel and security partners throughout the integration process. This is especially important in determining what will be the optimum blend of security programs to serve the needs of the enterprise.
- Avoid changes in behavior. Social media can often give early indications of M&A activity, and the negotiating team often works on the assumption that no one else knows what is going on.
- Communicate with compassion internally and externally. Understanding the anxiety that will inherently arise from employees who are concerned about layoffs is critical in minimizing.
Gary Alterson, senior manager for consulting services at Cisco, agreed that internal threats present a security challenge for enterprises going through M&As. “The relevance and volume and risk posture in terms of internal threats differs depending on the type of the business.”
Employees of smaller organizations might not feel as threatened as those in larger companies.
Sign up for CIO Asia eNewsletters.