Transparency is key. Acquisition targets
should be evaluated with the same rigour
as any external supplier to the business.
What security policies do they have in
place? How are staff certified or vetted?
What industry standards do they comply
with? Always dig deep and work through
all prior cybersecurity incidents, including
successful and attempted data breaches.
Understand how such incidents were
responded to. Only then can all parties
be sure they are adequately covered for a
safe and secure union. Not knowing about
or understanding previous and extant
security compromises is a major risk.
Consider information use in a post-
GDPR world. It is more important than
ever to fully grasp the extent to which
a selling company gathers and uses
personal information. This is especially
true for customer-focused and highly
sensitive proprietary data. Make sure
all commitments and representations
made by the selling company to
customers in relation to privacy and
the handling of personal are reviewed.
Depending on the residency of the
www.intelligentciso.com
|
Issue 11
customer, there is a strong probability
that business security policies must
be aligned with the EU General Data
Protection Regulation (GDPR), as well
as the laws of the country the data is
held in. It is particularly important to
determine if additional consents are
needed after merger or acquisition
activity. Past failings or a poor network
management history can now result in
significant fines.
Appoint someone to oversee IT
infrastructure alignment. Waste no
time in ascertaining the reach and
limitations of both parties’ existing
security programs. Once the deal
has been concluded and the relevant
documentation signed, it is crucial
to appoint someone to oversee IT
infrastructure alignment. Understanding
the network, system architecture and
data flows of both companies is key
to avoiding headaches further down
the line. The process should entail
considering what sensitive data is
being held, where it exists and ensuring
adequate measures are in place
to protect it. At every juncture, it is
essential to remind all staff to exercise
caution when it comes to data privacy
and cybersecurity.
Planning ahead
There is no getting around it. Hackers
typically view mergers and acquisitions
as a prime opportunity for exploits.
A lot of variables are at play and in
transition. Attack surfaces instantly
widen and oversights become blurred
as organisations suddenly sprawl off in
new directions.
Cybersecurity should always be
prioritised from the outset. A long-
term plan with buy in from both
businesses is vital. It is important to
act quickly and pressure will be on
for business to commence. It is all
too easy to become apathetic to, for
example, the complexities of reviewing
and consolidating security tools and
practises across entire application
portfolios. Getting buy-in for thorough
cybersecurity reviews across both
businesses from day one can be tough
but it is the only safe way ahead. u
65