Why sacrificing security during M&As is the one mistake everyone makes

One of the best indicators of renewed confidence in the economy – the fabled 'green shoots of recovery' – is a rise in Merger and Acquisition (M&A) activity. While M&A numbers have been looking healthy for a while now, particularly amongst the mid-market, we can find further encouragement in Deloitte's most recent M&A Index, recording a sharp rise in deals during the summer, and predicting a continuing upward trend in the coming quarter.

Deloitte predicts global deal volumes to reach around 8,350 by the end of the third quarter of 2014, a healthy nine per cent over the same period in 2013. Yet while M&A might be sign of economic stability, they carry within them seeds of insecurity which can be potentially devastating for enterprises that are not fully prepared.

The compliance problems of integrating a new acquisition into an existing business are well known and have been much written about. Much less appreciated is that security threats can also spread to the organisation that is selling part of its operations. This is especially relevant during this recovery: during the long recession we saw many companies attempt to protect themselves by expanding their service portfolio. As the economy has started to move back into the black, these firms are looking to consolidate, and are thus divesting themselves of sections of their business.

These vendor businesses are just as vulnerable as the acquiring enterprise to security threats during any deal. Businesses are usually girt by strong defensive boundaries; when companies come together in M&A activity, these boundaries come into contact and, out of necessity, become permeable to some degree.

It is vitally important that the parties involved in M&A do not focus solely on the business goals of a merger. During planning, organisations need to place an absolute premium on security, and ensure that business goals do not take precedence over, or in any way undermine, information security. In fact, they should be actively strengthening to prepare for the added risk that is inherent in M&A deals.

It is estimated that around 70 per cent of all security incidents have internal causes, such as a lost device or spear phishing attacks. There are a number of reasons why this can rise even higher during M&A, but these can be separated into two groups: systems and staff. Let's look at the first of these 'great unknowns': the employees. Mergers and acquisitions are often difficult times for employees on both sides of the deal: worries about redundancies or long-festering resentments come to the fore, raising the possibility that a disgruntled worker might leak information. This behaviour is not the only problem, usually little or nothing is known about the other company's employees, for example their level of security training and the internal processes they use.

Then comes the security technology of an organisation's entire IT estate. This encompasses everything from the physical and logical protection within data centres to the security of end points and remote access systems; it should also look beyond the physical infrastructure itself to processes, encryption, firewalls, compliance and other systems in place to keep data safe. What is more, an organisation's relationship with its suppliers and partners is another potential avenue of risk, and these must be carefully audited to ensure that they do not pose a potential security threat.

The best advice to minimise security threats during M&A activity is to treat the transitory organisation almost like a demilitarised zone, one that is treated as a completely separate entity from the two parties negotiating the transfer. Erecting a virtual cordon sanitaire will give enterprises the best chance of inoculating themselves against latent but unknown threats lurking within the organisation at the centre of a deal.

This may not be popular among either those responsible for the wider strategic aims of the merger, nor with the employees of the organisation that is to be so circumscribed. This is something on which the respective IT departments must stand firm. Security can never be an afterthought, and the pages of history are littered with examples of mergers and acquisitions that caused serious damage to both partners because of a lack of due diligence – Autonomy's acquisition by HP being just one recent case.

Even with the most successful M&A, it takes some time before the different companies and their cultures start to gel. There is plenty of time in which to relax the strict discipline that is so necessary during the transition phase, and little that anyone can do to contain a security breach during so sensitive a time.

Until the deal is done and the companies are fully integrated, a firm hand and an arm's length approach is the best way to ensure that any deal brings the long-term success that it deserves.

Tim Patrick-Smith is group CIO at Getronics