Minimizing cyber risks during acquisitions and mergers
In an uncertain economic environment, companies are looking for new ways to mitigate business fluctuations. One of these ways — this is the desire for mergers or acquisitions (M&A), which can diversify the product range and reduce the level of competition. M&A can also help the acquiring company attract more technical talent and accelerate digital transformation.
General risks in the IT field during M&A and ways to minimize them
In a situation of mergers and acquisitions, the decisions of each organization in the region cybersecurity and core IT systems influence each other. Attackers may target the data of a company that is being acquired or divested in order to infiltrate the larger acquiring company.
For example, this practice is quite effective: attackers launch ransomware to specifically identify confidential information that could interfere with the transaction, and then use this information as a means of pressure to extort money.
In one case involving the $130 million acquisition of Graduation Alliance Inc., attackers compromised the email addresses of a law firm involved in the M&A to redirect and steal payments intended for shareholders.
Even completed, previously implemented IT integrations can pose long-term risks, such as:
- Sleeping vulnerabilities. If the security provisions are not identical at the time of integration, one may adversely affect the other. For example, attackers had already compromised the Starwood hotel reservation system before Marriott acquired the Starwood hotel chain. The intrusion went undetected for two years, leaving nearly 500 million customer records at risk.
- Shadow IT. It may take time for employees or departments to get used to new, integrated processes and tools. During this transition, some employees or departments may use unauthorized applications or not comply with new IT policies.
- Regulatory implications. If at least one of the companies is located in a different region or industry with stricter data protection regulations, additional precautions must be taken to ensure compliance with data sharing requirements. For example, China has the Personal Information Protection Law (PIPL), which sets certain notice and consent requirements for the transfer of personal data in M&A scenarios; Failure to comply may result in fines starting at 1 million yuan (approximately $149,000).
Final statistics from previous studies indicate that from 70 to 90 percent of transactions related to acquisitions and mergers of companies fail to varying degrees in terms of the safety of sensitive information. However, companies that are adequately prepared for new cyber threats and successfully integrate information technologies during the transaction can minimize financial and reputational losses.
Reducing information technology risks in M&A
In the traditional information technology merger process, organizations strive to ensure that users have access to every resource in the two merging companies. This is based on the network security model "castle and moat", where no one outside the network can access data inside, but everyone inside the network can.
For example, they can use firewalls to route traffic between two networks or combine them at an intermediate connection point (for example, through multi-protocol switching equipment — MPLS — to connect to data centers). Or you can add new virtual private networks to securely provide access to new users. In the past, this was sufficient because business applications were hosted internally in data centers and employees primarily worked in the office.
However, in today's work environments, employees from the acquiring "Company A" and the acquired "Company B" need the ability to securely connect to a variety of cloud applications and networks — from any device and from anywhere in the world. And if one of these users or devices is compromised, the attacker will be able to overcome this "moat". In other words, in a situation where hybrid work environments merge during M&A, the traditional perimeter-oriented approach is insufficient.
Today's IT and security leaders have an opportunity to reconsider their strategy for integrating information technology into mergers and acquisitions. A modern approach based on the Zero Trust security model provides verification and authorization all traffic both inside and outside the enterprise.
Private VPN server: another option for minimizing risks during M&A
Private VPN server also helps reduce cyber risks during mergers and acquisitions by providing a secure and encrypted connection for remote access to resources and data. By connecting a private VPN server, you can create a separate virtual private network for employees involved in the merger and acquisition process. This will provide an additional level of isolation and protection for network assets. You can buy a private VPN server profitably and with minimal time investment on Private VPN server.