Cyber-security in M&As:  Managing the risk of network integration
Cyber-security in M&As: Managing the risk of network integration
We have recently witnessed a flurry of M&A deals in — record breaking in fact, with over £1.27 trillion of global mergers and acquisitions announced this year, compared to some £750 billion experienced during the same period in 2017, according to Thomson Reuters Deals Intelligence. While this is a cause for celebration across many boardrooms and financial advisory firms, it does pose challenges for the CISOs and CIOs involved.

When two businesses are combined, it's not only bank accounts and groups of employees that are merging. It also means the integration of thousands of IT assets and systems onto a single, hybrid network. When bringing on new assets or devices there is the additional worry of unknown cyber-risks, and that's before taking into account other complicating factors such as legacy systems or contrasting IT guidelines and security policy. 

It is crucial for the board of directors to be aware of these security concerns, as they can affect the bottom line and possibly the merger itself. So, is it possible to de-risk the cyber aspects of your merger? Whilst it is a challenge, there are a few key ways organisations can strengthen their network security and implement effective risk management. 

The first port of call: your CISO

To manage the cyber-security challenges surrounding an M&A deal, businesses need to get their CISO on board and involved in the negotiations at an early stage to ensure the mitigation of any potential challenges. The CISO is best placed to help inform the board of the regulatory, security and compliance issues that may cause headaches — or even breaches — down the road. CISO participation at an early stage also helps control risk, smooth the flow of the entire M&A procedure, and dodges last–minute security issues which could stall the deal. 

Next, ensure you have complete network visibility 

Merging IT systems can be extremely complicated, and the risks shouldn't be underestimated. The best way to identify those potential risks is by gaining comprehensive visibility of the attack surface and fully assessing the network vulnerabilities and security weaknesses. A decade ago, Lloyds TSB and HBOS merged in one of the largest deals in UK corporate history. In this scenario, their IT teams had to get to grips with two networks at once and secure them asap. 

The IT teams involved in the merger needed to recognise their specific networks as separate entities, so they could then develop a plan for how to combine them. Covering 2,000 branches, 75,000 full-time staff and millions of customers, this was a daunting task. They also had to evaluate and risk-assess the resultant network that would emerge as a result of combining the two existing ones. This new network contained almost 200,000 endpoints and had its own set of unique vulnerabilities which didn't necessarily exist in the two original networks.  

The only way to understand this level of complexity is by harnessing network visibility. Organisations involved in a merger or acquisition must be aware of the entirety of their firm's IT systems and security controls. This means gathering data from many disparate databases with information on the assets, network topology, security controls, vulnerabilities and threats within the network. No matter the size of the firms being unified, an accurate understanding of both the asset and network layers is imperative to assessing risk and mitigating security weaknesses that could result in a breach.  

It's not an easy task. Today's networks are continuing to increase in scale and complexity, which makes it extremely difficult for enterprises to keep track of everything within those networks — especially when they are distributed globally or extend into the cloud. 

For example, a single global enterprise is likely to house asset information in multiple databases that don't talk to each other, such as CMDBs, patch management systems, or even homegrown databases. By employing automation, however, it is possible to collect and merge the data from these varied sources into a single, comprehensive record. Automation can also be used to ingest data on the network infrastructure and security controls in place, as well as the vulnerabilities and security weakness, risky access rules or device misconfigurations. 

Having all this information in a central repository is critical for gaining visibility of the attack surface and ensuring that all stakeholders are conscious of the risks posed by bringing together two different companies. 

Don't forget about compliance 

GDPR is now here and it brings with it an obligation to illustrate compliance. Even beyond GDPR, cyber-security regulations are on the rise globally, including specific industry regulations.  Businesses put themselves at risk of massive fines if they combine networks without being able to validate that the correct processes are in place to ensure adherence to these new regulations. Given that M&As are generally time critical, it is vital that organisations are able to quickly set up the appropriate monitoring, auditing and reporting processes on new networks, so they can illustrate compliance with external (and internal) policy and avoid financial penalties.

Prioritising cyber-security throughout the M&A process is no longer an option, because not doing so means risking a cyber-incident that could directly impact negotiations, stall movement forward, or compromise the new entity financially or reputationally. CISO involvement and gaining comprehensive network visibility are the starting points, the foundation of ensuring the successful integration of sundry networks. With this foundation, security teams are better prepared to manage risk, even as the network continues to evolve, with the ultimate goal of achieving a compliant and secure computing environment across the enterprise.   

Contributed by Justin Coker, vice president EMEA,  Skybox Security. 

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.