This is the third part of a four-part blog series covering each of the four phases of the merger & acquisition (M&A) process and how you can build security into each phase. In case you missed it, Part 1 covered the why it’s important to integrate security into the due diligence process in the first phase of M&A and Part 2 covered integration planning and public announcement.
Phase Three: Merger or acquisition close (“Day One”)
Now you’re ready for “Day One”—when the acquiring company actually acquires or merges with the target company. And from a security perspective, anything that happens from this day forward—you’re responsible for it.
In the old days, you’d be flying in firewalls and all sorts of other physical appliances trying to get them installed in time to start immediately monitoring and protecting the expanded organization. It was a big mess back then—and most companies would probably still agree that it’s not a fun process. But with the right planning, tools, and resources, your security team can design an integration process that is executable in a very short amount of time and repeatable for future acquisitions. Software-based security solutions make things much easier to deploy and configure than the hardware of a few years ago.
A common Day One goal is getting the acquirer’s key executives access to the target company’s systems, and vice versa. Cross-pollination needs to happen from the start, especially on the operational side and in critical departments like finance. Opening these systems up for new users and new processes can present tremendous risks. For example, because both companies use internal IP addresses, it’s very common to have IP conflicts. These are not their public IP addresses; these are the internal ranges. Organizations need some kind of security solution in place that helps prevent these sorts of common IP conflicts within the newly joined environment.
There are a number of other critical security questions