This is the second part of a four-part blog series covering each of the four phases of the merger & acquisition (M&A) process and how you can build security into each phase. In case you missed it, Part 1 covered why it’s important to integrate security into the due diligence process in the first phase of M&A.
Phase Two: Integration planning and public announcements
The second phase is where you’ll start the planning for the eventual M&A. You’ve reached an agreement. You’re now looking at how to publicly announce that a transaction is happening—and this is the moment attackers will start trying to take advantage of the fluidity of the environment.
As soon as the word of an acquisition hits the street, both companies will likely start receiving higher volumes of phishing emails and other kinds of targeted attacks. The bad guys will be quick to take advantage because it’s a time of change. Transitions present opportunities that can leave employees on both sides extra vulnerable to a phishing campaign or other sophisticated threat vector. Threat agents look for change. The acquiring company’s security expert needs to determine if they can appropriately respond to cloud threats based on their own enforcement policies.
Another factor is that employees on both sides may be getting unsure about their jobs due to redundancy, relocation, and other factors. As uncertainty rises, some people will start looking for other jobs—and maybe even make copies of IP they’ve helped create, very much like they’re going to resign. They may start downloading data or uploading files into their own private storage and collaboration tools. These kinds of activities can signal an insider threat—and security should be capable of monitoring for high-risk behaviors and applying controls to protect sensitive content from exfiltration.
Stay tuned for Part 3, where I will dig further into what you can expect on “Day One,” after a merger or acquisition closes. For more about how you can fit security into your M&A process, download a copy of the Smoothing Out M&A solution brief, or register for my upcoming webinar on August 17 with Netskope Deputy CISO James Robinson, The Four Mistakes You Can Make That Will Blow Up an M&A.
