Acquiring a Competitor During COVID-19? Assess Cybersecurity Early!

When two companies merge, the existing security risks multiply. In the climate of the COVID-19 global pandemic, it’s more important than ever to assess cybersecurity early in the process of integration and merging of two separate companies. 

Merging two companies’ technology has always been a challenging and intricate integration, but in the face of the additional cybersecurity challenges related to COVID-19, it’s proven more challenging than ever. 

Why do security risks multiply in a company merger? 

We know it to be true that many companies are unaware of security risks within their organizations. We see this time and time again with ransomware attacks that devastate an organization’s sensitive data, often resulting from a lack of preventative security measures. When two organizations merge, both entities suddenly become responsible for their organization’s security issues and those of the organization they are merging with. What’s more? This applies to both known and unknown security risks–the unknown risks proving to be the most detrimental. 

How can I merge my organization successfully?

The number one way to mitigate risk during a merger is to thoroughly evaluate both organizations’ existing cybersecurity risks before the merger. This means evaluating both known risks and taking the time and resources to identify unknown risks as well. As part of the transition strategy (in addition to organizational, financial, etc.), organizations should have a clear cybersecurity transition strategy to ensure both organizations’ sensitive data is safe throughout the merger process and after the merger has been completed. 

In our experience, most small businesses acquiring smaller businesses ARE NOT evaluating cybersecurity risks in advance. This is a massive weakness in their acquisition strategy that could bring down the parent company if done incorrectly.

Second, organizations must evaluate their connected devices and make sure their built-in security measures are intact. If this is not the case, both organizations increase their risk of potential attacks. Both organizations will want to identify and classify all of their assets to ensure a solid security infrastructure.

Third, organizations should ensure that they specifically evaluate their cloud infrastructure. During the merger process, the use of the cloud exposes both organizations to a plethora of new security risks. Be aware that organizations are responsible for data that is being transferred to and from the cloud–specifically during the merger process. Thoroughly evaluating this process will help mitigate risk to both organizations participating in the merger. 

Finally, both parties must understand the shared responsibility of security risks when merging organizations. Some of the greatest ransomware threats result from issues in-house (i.e., outdated operating systems, stale accounts left enabled, misconfigured services and portals, etc.). In the merger process, both companies must evaluate any “holes” in the security infrastructure and address those issues with a clear, actionable plan. A proactive approach to security infrastructure will help protect both organizations and a smooth transition after the merge. 

If your organization is part of an upcoming or active merger, don’t hesitate to reach out to PK Tech if you have questions. Contact us here