Paint a Bull’s-eye on Me: Cyber Risks for Mergers
The CSO Newsletter recently published an important article, Merging Firms Appealing Targets for Attackers. The article strongly urges merging companies to conduct cyber-security due diligence and to assume that they are being targeted because of the merger activity. Firestorm most strongly agrees with these recommendations. But wait, there’s more.
First, the assumption that companies merging (or acquiring/being acquired) are being targeted by cyber bad guys is one hundred percent correct – it’s not an assumption, it’s a fact. Companies are being targeted whether or not they’re engaged in these activities. Mergers simply raise a big flag that says, “Yo, I’m vulnerable right now.”
That vulnerability requires not only due diligence, but planning in-depth to address issues. These issues include a number of areas:
Cyber security is exceptionally complicated. There are a huge number of “moving parts” (well, they would be moving if they were mechanical and not digital). Two organizations will have different approaches, systems and tools across the entire cyber-security spectrum, and these differences, including policies addressing such things as Bring Your Own Device (BYOD) and password refresh schedules, must be reconciled. This brings us to the next issue – duration.
Reconciling the IT systems, including security, of two organizations is a big deal and cannot be completed overnight. Complete reconciliation may involve both software changes and hardware issues. It could even involve significant capital expenditures. The period between the beginning of the merger activity and the completion of this reconciliation is a period of major cyber-security vulnerability. This brings up the next issue – people.
The cyber-security-system (hardware and software) issues are complicated, but the associated people issues are complex.
Some people in both organizations are going to be resistant to any changes to the way they work – including changes in cyber security. This resistance may result in people-created security vulnerabilities as employees push back against or refuse to implement new or different security procedures. It’s important to recall that the root cause of almost two thirds of cyber-security issues is people. The merging companies must develop and implement an effective strategy for involving all of the joined workforce in maintaining security before, during and after the merger activity.
Organizational mergers generate employee anxiety. That anxiety may result in additional security problems. Anxious people may become lax or forgetful. They may also plot revenge in the event they are laid off. Also, keep in mind that revenge is not necessarily cyber-related. It could include workplace violence or social media attacks. Plans should be developed and implemented to address these risks.
Finally, the likelihood that both organizations have identical cyber-breach response plans is zero. In fact, research indicates that the likelihood that they both even have cyber-breach response plans is very low. The merging companies should assume not only that they are targeted, but that they will be the victim of a cyber-breach. Reconciling and updating their cyber-breach response plans is critical and should be accomplished as quickly as possible.
Mergers have always been risky ventures. The digital age has added an entirely new dimension to the previously existing risks. Organizations must be prepared for those digital-age risks. Predict.Plan.Perform.®
“What should we do now?” “What should we say?”