When the ongoing pandemic took root in the US, businesses and entire industries were turned upside down. Unsurprisingly, there was a significant slowdown in the number of tech mergers during the first quarter of 2020. Companies inwardly focused on pressing issues tied to their very survival — understanding market demand changes, countering downward pressures, and right-sizing teams and expenses accordingly.
As we speculate about a new normal, Bain & Co. expects deals will rebound to historic levels in the coming months. Whether it's to improve business efficiencies or access technologies to adapt to the new realities of work, Bain anticipates an uptick in deals in remote IT support, automation, artificial intelligence, and work collaboration tools.
While this should bring new life to companies, mergers and acquisitions will present challenges, as always. Successful post-merger integration is tricky in all markets, and more so in today's remote working environments with increasingly distributed IT infrastructures. Merging companies need to think differently to be successful and maintain network security protocols.
Some of the biggest breaches of the last few years have occurred after large companies combined operations. Verizon's acquisition of Yahoo and Marriott's combination with Starwood come to mind, among many others. Often, it's subtle vulnerabilities, issues that have gone undiscovered in company IT environments for months or even years (e.g., unauthorized database access) that go on to create major headaches after the merger. When vulnerabilities go undetected during diligence and parties move quickly to consummate their transaction, serious security risks may be overlooked. In these cases, the number of customers whose private data could be exposed in a breach increases exponentially.
To balance speed and caution, M&A teams must take proactive steps to mitigate security risks throughout the transition phase.
When Companies Merge, Security Risks Multiply
Merging firms are often unaware of security issues or breaches in their networks until it's too late. The burden falls to both parties to perform a thorough cybersecurity assessment before, during, and after their networks are merged.
First, it's vital for all teams across both organizations to establish complete visibility throughout the expanding environment, including data centers, branch offices, cloud applications, and edge devices. This is crucial in order to gain a complete picture of both enterprises and help identify vulnerabilities. Establishing this shared source of information about everything happening on all networks enables businesses to break free from organizational silos that inhibit swift detection and resolution of IT security threats.
The next step is to detect and classify all assets across all environments. In particular, the proliferation of enterprise edge devices and the Internet of Things devices adds another layer of complexity to maintaining a secure infrastructure. Many of the billions of connected devices don't have built-in security measures, increasing their vulnerability to potential distributed denial-of-service or man-in-the-middle attacks.
Behavioral analytics can help mitigate this issue, as it allows security analysts to know when intruders are still present and identify what information has been compromised. Armed with timely information, security teams can detect threats in real time and provide contextualized data for rapid investigation and response.
It's also essential to close security gaps that emerge with cloud infrastructure. The cloud dramatically expands attack surfaces and exposes acquiring companies to myriad new security risks. While cloud service providers are responsible for some aspects of security — specifically, securitizing the cloud environment — customers are responsible for securing the workloads being transferred into and out of their cloud applications.
Misunderstanding this shared responsibility leads to critical security risks. In fact, some of the biggest cloud security threats are "in-house" — misconfigured services and portals, insecure APIs, and unauthorized access, to name a few. Businesses must take inventory of all these potential holes in the security infrastructure as systems are merged. Proactively uncovering and addressing cloud-specific security risks allows acquirers to expedite deals and emerge confident in the security of the integrated networks.
Integrate With Confidence
Cybersecurity attacks during M&A introduces risk and can compromise valuations. When sensitive data is leaked as a result of security lapses, it can damage the reputations of both organizations and cause firms to rethink or revalue transactions. To address these risks, businesses must develop a transition strategy with security top-of-mind. With a clear plan for maintaining security before, during, and after the merger, acquiring companies can uncover and address issues before the damaging effects are felt.