Building Security into Your M&A Process Part 3: Merger or Acquisition Close (“Day One”)

This is the third part of a four-part blog series covering each of the four phases of the merger & acquisition (M&A) process and how you can build security into each phase. In case you missed it, Part 1 covered the why it’s important to integrate security into the due diligence process in the first phase of M&A and Part 2 covered integration planning and public announcement.

Phase Three: Merger or acquisition close (“Day One”)

Now you’re ready for “Day One”—when the acquiring company actually acquires or merges with the target company. And from a security perspective, anything that happens from this day forward—you’re responsible for it. 

In the old days, you’d be flying in firewalls and all sorts of other physical appliances trying to get them installed in time to start immediately monitoring and protecting the expanded organization. It was a big mess back then—and most companies would probably still agree that it’s not a fun process. But with the right planning, tools, and resources, your security team can design an integration process that is executable in a very short amount of time and repeatable for future acquisitions. Software-based security solutions make things much easier to deploy and configure than the hardware of a few years ago.

A common Day One goal is getting the acquirer’s key executives access to the target company’s systems, and vice versa. Cross-pollination needs to happen from the start, especially on the operational side and in critical departments like finance. Opening these systems up for new users and new processes can present tremendous risks. For example, because both companies use internal IP addresses, it’s very common to have IP conflicts. These are not their public IP addresses; these are the internal ranges. Organizations need some kind of security solution in place that helps prevent these sorts of common IP conflicts within the newly joined environment. 

There are a number of other critical security questions that need to be answered at this point, including:

• Are you able to limit access to the target company’s existing cloud services and applications to avoid data leaks and close security gaps?

• If there are new SD-WAN connections to target branch sites or remote offices, can you provide visibility and data protection for them?

• Can you make a comprehensive assessment of the target company’s threat monitoring capabilities—including the granular movement of data to/from the target’s cloud solutions? (There might be sensitive data in their cloud environments that has been left unmanaged.)

• Can you identify and manage third-party integrations and detect any high-risk activities or behaviors by target company users?

• Are there security weaknesses that you identified during the due diligence process that need to be addressed

And unfortunately, a lot of these sorts of important security activities have to wait until Day One because they can’t officially be done prior to the deal closing. In most cases, you can’t actually start running detailed scans until the acquirer actually own the target company. Deep scanning is a near-term necessity because most companies today will have modern infrastructure complexities that need immediate monitoring—SaaS application configurations, private application access, IaaS implementations in different public clouds, as well as other multi-cloud deployments. Once integration begins, the entire business becomes exposed to any vulnerabilities or threats hidden in its infrastructure.

Stay tuned for Part 4, where I tackle how you should approach long-term integrations following M&A. For more about how you can fit security into your M&A process, download a copy of the Smoothing Out M&A solution brief, or register for my upcoming webinar on August 17 with Netskope Deputy CISO James Robinson, The Four Mistakes You Can Make That Will Blow Up an M&A.