When companies reorganise or are brought closer together through merger or acquisition, the primary focus will nearly always be on the financial and legal aspects of the process, and questions over security are usually low down on everyone's list of priorities.
More often than not we all – company employees and customers alike –tend to assume security will simply ‘adapt' when these moves and changes take place.
However, businesses need to be aware of the huge range of headaches that can occur, and the increased potential for catastrophic data loss or theft – which could have a direct impact on brand reputation, customer satisfaction, and, ultimately, your bottom-line.
In the case of a reorganisation, merger, or acquisition, companies need to tread carefully and put security near the top of the agenda from the earliest possible stage of the process.
So what can be done?
Rather like ensuring that your home is able to endure all weathers, there is a need to start with the foundations – check they are secure, and continue to re-check them regularly.
With regard to data security, this means knowing exactly what data you have, classifying it into tiers, and creating a clear policy for each tier, with each tier assigned to a specific individual. Once such a policy is in place, the individual responsible needs to ensure it is regularly reviewed and certain data re-classified, which will mean that its access rights must be amended.
With a policy in place and appointed an ‘owner', all levels of reorganisation can be handled with the appropriate and necessary care – or at least far more effectively than normally occurs.
A single staff reassignment may seem insignificant, but even this must be handled with care. At the most basic level, staff are constantly moving within an organisation. The policy needs to cope with such changes and make sure that an individual's need for, and access to, specific data is reassessed and changed appropriately.
The need for transparency
But beware! If the policy is not clearly understandable, simple, and relatively easy to implement it may not be accepted by everyone. Some staff who have been reassigned will find ways round their new privileges – most notably by saving data on mobile devices such as phones and laptops. A relatively innocent attempt on their behalf to hang onto data can in fact be the first step towards a significant security breach.
However,the time wasted explaining and clarifying policy can be reduced if a clear policy is in place beforehand, with high-level support from Human Resources and senior management. In this way, staff will be able to refer to the policy themselves, and also to anticipate changes that will be enforced.
A joint solution
When the likes of ‘Mega Corp' merges with ‘Global Domination Inc', you can be sure there will be those who are worried about facing job cuts. Less noticeable however, is that an effective security policy can be another – albeit silent – casualty of these shifts.
Wise heads realise that huge reorganisations are often a real headache for security, not least as the dominant player will nearly always try to impose their own security policy on the smaller of the two companies.
Yet, from experience, we know that policy imperialism like this will lead to resistance, and, worse still, non-compliance. Staff from the smaller of the two companies will be wary and defensive at the best of times; and being told their current security policy is redundant will lead to increased suspicions and perhaps distrust – an atmosphere that can have very serious consequences for a newly-merged company.
The only answer is a hybrid policy that takes the best practices from both organisations, based on a clear and realistic understanding of the new situation. Such hybrid policies—with regular reviews—invariably get better buy-in, and better stand the test of time.
Just as builders are still happy to build on flood plains, some organisations are still happy to ignore the warnings, preferring to deal with the consequences. But security should not be reactive, and should be the built into mergers, acquisitions and reorganisations from the very start. It should be policy-driven as a result of careful analysis and on-going review.
Contributed by by Paul Bonner, head of engineering at Hardware.com .