This year has seen its fair share of mega M&A deals, particularly in the tech space where SoftBank has completed £19.3 billion (US$ 24 billion) deal to acquire ARM, Microsoft bought professional social media network LinkedIn for £21 billion (US$ 26.2 billion), and Dell completed a £48 billion (US$ 60 billion) deal to acquire EMC Corp.
While the priority for the company, which is doing the acquiring, will be to ensure that the purchase makes sound business sense, security shouldn't be an afterthought. After all, the last thing a business would want is to have its latest acquisition be hit by a ransomware attack or stung by a DDoS assault. Or in the case of Yahoo/Verizon, have an old undisclosed major data breach waiting to be made public just as a £3.9 billion (US$4.8 billion) deal was being announced.
But nevertheless, a 2014 survey by law firm Freshfields Bruckhaus Deringer found that 78 percent of dealmakers said that cyber-security was not a risk that was analysed in-depth or dealt with in deal due diligence, even though 83 percent believed a deal could be abandoned if cyber-security breaches were identified during deal due diligence or mid-transaction.
Andy Wilton, chief information officer at Claranet says businesses will not, and should not think of security as the absolute priority when it comes to M&A, but after overseeing more than 14 acquisitions, he suggests that companies who may not have had the opportunity to do all of their due diligence from a security perspective well-ahead of the acquisition going through, should ‘departmentalise' the issues, so that they can be tackled at a pace which makes sense to the business.
By acquiring a new company, a business is in effect broadening its attack surface. But this doesn't necessarily mean that the acquiring firm is familiar with security issues that the firm it is acquiring has to deal with on a day-to-day basis.
Nathan Dornbrook, CTO of ECS draws similarities between a company's risk appetite with the ‘bear in the woods' theory. The theory involves three different types of people going into the woods where they know there is a bear; one person goes in with just a stick, another with a bow and arrow, and a third who has bear traps and a high-powered rifle. All three are likely to go in with different levels of confidence and agendas.
“These are the differences we can see in different organisations; they have different capabilities of managing risks and as a result they treat their infrastructure differently,” he says.
Much of the time this is determined by the maturity of an organisation; the general assumption being that a larger company that is acquiring will be more mature than the firm that it has acquired. Start-ups may, for example, have a blasé attitude to security compared to a FTSE 500 company.
Selecting a secure solution
From an information security standpoint, one of the first areas that the companies would have to consider is their IT security portfolio. There is likely to be an overlap of security solutions between the two companies and they will have to make a decision on whether to stick with two separate solutions which effectively do the same thing, or pick one to implement across the entire organisation.
According to Andy Boura, senior information security architect at Thomson Reuters, this is an opportunity to identify duplicates and reduce cost by eliminating them. Furthermore, it could also lead to a streamlining of the company's headcount as it doesn't make sense to have specialists in two variants with the same functionality and benefits.
“Businesses have to be wary of complicating the estate and supporting multiple things that are essentially providing the same capabilities,” he says.
Despite the bigger organisation perhaps being perceived as having more authority when it comes to these negotiations, a thorough analysis should be completed on both products.
Professor Steven Furnell, senior IEEE member and head of school and professor of IT security at Plymouth University, says that there should not be an assumption that one company should just inherit the ways of the other.
“It is clearly important to understand the current position in each side… and it can even be seen as an opportunity to review the suitability and effectiveness of the security controls as a whole, and then adopt the agreed best practices to move forward,” he suggests.
In fact, the bigger organisation's security products may have legacy issues in which case it is more likely to want to see what the smaller organisation is using, and even adopt this solution across the entire organisation.
For many companies the key issues with information security post-M&A centre around the processes and people involved, rather than the technology.
As Wilton says, a less mature business may have a laid back approach to patching for example, but bigger organisations may have had to deal with customers that have been questioning their processes more frequently and therefore they've tightened things up and have a more robust system in place.
The smaller firms – particularly if they are start-ups, are more agile and rely more on the expertise of a small group of people, whereas large organisations rely on a large pool of specialist people, as well as having more governance and formal processes.
“There is a risk that the smaller, more agile companies feel stifled and unable to deliver at the rate they used to, while the bigger organisation may think the smaller firm isn't being careful enough,” says Boura, who has been personally involved in two such acquisitions, when Reuters took over a start-up he was working for, and then when Thomson acquired Reuters.
Boura believes that a technology mismatch can easily be resolved by the two firms involved, but that a cultural mismatch can be far harder to deal with. The cultural clash could even come down to smaller matters such as whether it is acceptable to use personal e-mail, web browsing and Facebook, and how often to allow employees to do so.
“It's easy to imagine two merging companies both feeling they had the right answer while operating entirely different policies,” says Professor Furnell.
But if both companies had employees that were focused on working together to ensure that the transition went smoothly, then there is a huge opportunity for each company to learn from each other.
Wilton says that when Claranet acquires a business, it has an induction programme for employees of the new company, which incorporates the usual information on company values, as well as security training that is consistent with the company's certifications. He adds that as an acquiring company, it has a larger training budget, some of which is used on security awareness.
Companies that are more mature may have other capabilities that they can introduce the smaller firms to, such as standard generated single sign-on with two-factor authentication, or other learning programmes that are focused on security.
LinkedIn, though not a small business itself, could still benefit from Microsoft's expertise in security.
“There isn't a doubt that Microsoft is amongst the most mature and best in the world when it comes to a secure development lifecycle, so I'm sure there will be opportunities where the LinkedIn technology teams would welcome the expertise from Microsoft,” says Boura.
Wilton says that in this case it is LinkedIn's information that is its key asset, and Microsoft is likely to have taken steps to protect that first and foremost to ensure that the £21 billion value of the acquisition is retained, along with Microsoft's own reputation.
This isn't to say that Microsoft can't also learn from LinkedIn. However, there has to be a culture instilled into the organisation in which everyone is open to learn. Factions are likely to be built if teams are trying to defend a particular function that is at risk because of an overlap between the two companies – and this is why transparency is crucial.
“It is important to ensure that all staff feel included and informed,” says Professor Furnell.
“What definitely won't help is to create factions, where one side just feels it is having something done to them. Creating such divisions would have obvious relevance beyond security as well, with the potential to influence the harmony and integration of the new organisation as a whole,” he states.
There is an insider threat with M&A activity because such deals will inevitably involve some sort of upheaval, whether that means a change of role, a demotion or a redundancy. In the case of the latter, Dornbrook emphasises that it is crucial for organisations to keep outgoing employees onside.
“People are grown-ups, they understand that through M&A there will be efficiencies to be gained, but you have to ensure that they are not resentful, although they are likely to be less motivated,” he says.
“You have to be mindful of that, and perhaps give them one day a week where they can look for a new job in the hope that they can focus on their work while they are still there,” he states.
This would enable the firm not only to encourage employees who are leaving to transfer any knowledge they can across to another employee, but also mitigate other security risks, such as a departing employee taking data that they still have access to, or other insider knowledge.
The bare necessities
According to Graeme Batsman, a cyber-security consultant from Capgemini, acquiring firms should carry out an audit into the cyber-security measures and procedures at place at the firm it is acquiring.
“The result shouldn't necessarily deter a business decision, as it's always fixable, but it's good to know what timeline you'll be working towards when it comes to ironing out any cultural or technology-based issues,” he says.
The ultimate aim for companies post-M&A is to be the third person in Dornbrook's bear in the woods theory; with a fully functioning bear trap and a fully loaded rifle - or in security terms, having the right security solutions, processes and people in place.
Contributed by Sooraj Shah