Managing M&A cyber-security risks

In today’s business landscape, acquisitions are an integral part of growth and expansion but come with significant risks, particularly when integrating new personnel and information resources into an existing ecosystem. One of the primary risks lies in the potential security vulnerabilities within the acquired organisation.

Unfortunately, in the rush to finalise acquisitions with minimal disruption, organisations often overlook security, leading to major breaches. For instance, after Marriott International acquired Starwood Hotels in 2016, a 2018 data breach exposed the personal information of approximately 500 million guests. Attackers had been in Starwood’s system since 2014, well before the acquisition.

Similarly, in May 2024, Dropbox experienced a significant breach affecting its e-signature service, Dropbox Sign (formerly HelloSign), acquired in 2019. Hackers accessed customer information, including emails, usernames, phone numbers, and hashed passwords, as well as API keys and OAuth tokens.

These breaches highlight the need for rigorous cyber-security assessments and the integration of security measures into the M&A process to ensure a safe and seamless transition. This approach not only protects assets, and maintains stakeholder confidence, but also ensures the long-term success of the acquisition.

Key strategies for secure M&A

Integrating disparate systems, processes, and cultures can expose organizations to a range of potential security challenges.

One of the most critical measures to mitigate these risks is adopting the Zero Trust security model. Zero Trust operates on the principle of "never trust, always verify," meaning that no entity, whether inside or outside the organisation, is trusted by default. This model ensures continuous verification of every user, device, and application, providing robust security throughout the M&A process.

In addition to adopting Zero Trust principles, organisations should follow these ten key strategies to comprehensively ensure the security and integrity of the merged entity:

1. Change the mindset: Secure leadership buy-in, by emphasising that security is their primary responsibility during the technical merger. This approach ensures that all parties involved have the necessary time and resources for effective planning and execution of the migration project.

2. Inventory, interview, and assign migration paths: Start by creating a comprehensive inventory of all assets to understand the full scope of what needs to be migrated. Next, conduct interviews with asset owners to gain insight into the function and importance of each asset. Decide which assets will be migrated, retired, or left behind. A successful migration depends on a thorough understanding of the assets, their business criticality, and their designated paths post-migration.

3. Assess the source and target environments for vulnerabilities: Perform a thorough security assessment of both the incoming and receiving environments to identify potential vulnerabilities and risks that could compromise the security of the merged entity. Establish risk tolerance statements to define acceptable performance risks and ensure with the organisation’s risk appetite. If a risk tolerance policy is not already in place, develop one before conducting your assessments.

4. Compare processes, policies, and standards: Evaluate and compare the security processes, policies, and standards of both entities. This comparison helps identify discrepancies and areas that need alignment or improvement.

5. Identify app and service redundancies: Look for redundancies in applications and services between the two entities to reduce the need for migration, rehosting, or retooling existing applications to the new environment. Eliminating these redundancies can streamline operations and reduce potential security risks.

6. Consider app segmentation, domain consolidations, and service retirement: Implement strategies such as application segmentation to isolate legacy vulnerable applications, reducing the blast radius during attacks. Domain and forest consolidations can reduce the attack surface, while service retirement should address redundancies, and evolving business needs.

7. Establish temporary one-way trusts during coexistence periods: When a business need arises, use only temporary one-way trusts during periods of co-existence. This approach helps maintain security while allowing necessary access and communication between the merging entities.

8. Consider a non-migration merger experience: Create new identities instead of synchronising existing ones, migrate minimal data, and wipe devices before the move. Although this approach may cause some friction with the end-user experience, it helps eliminate potential threats lurking within identities and devices when they are migrated as-is.

9. Don’t move everything: Avoid the temptation to migrate all data simply because it’s available. Prioritise based on business needs, security considerations, and the potential impact on operations. This approach can help manage risks of moving unauthorised, undesirable or compromised data.

10. Monitor for unusual behaviours and changes: Continuously monitor systems and networks for unusual behaviours or anomalies, especially during the critical stage of integration when you are most vulnerable and afterward when adversaries may be trying to exploit new vulnerabilities. Effective monitoring helps detect potential security threats early and enables appropriate and timely responses.

By adopting these measures, organisations can minimise the attack surface and reduce the likelihood of unauthorised access during M&A. Moreover, Zero Trust policies and implementation of these ten strategies foster a culture of security awareness and vigilance, encouraging all stakeholders to prioritise cyber-security and actively safeguard the organisation’s assets.

This comprehensive approach not only strengthens the security posture during and after the merger but also lays a solid foundation for ongoing protection in an ever-evolving threat landscape.

And remember:

If you aren’t secure before the migration, you will be less secure afterward.