Strengthen Security During Mergers

Computerworld - Maintaining robust security is at the top of the IT priority list at many companies these days. But those that are in the midst of a merger or acquisition face some unique security challenges -- and opportunities.
U.S.-based multinational companies plan to increase their merger and acquisition activity over the next two years, with 70% expecting to be involved in such deals in that period, according to a recent PricewaterhouseCoopers Barometer Survey of 170 executives.
That will mean lots more work for chief security officers -- before the deal is signed and afterward, when security technologies and policies have to be integrated. The following are some practical tips for ensuring that data, networks and systems remain as secure as possible during the often turbulent times that accompany a merger or acquisition.

• Perform due diligence on security well before the merger begins. The chief security officer or other senior security manager should be as involved in the process of evaluating potential merger or acquisition targets as finance, human resources and other executives are. Analyze the security policies and technologies at the other company, and determine how vulnerable it is.
  Also, determine whether the company educates employees about security in general and about things such as preventing the spread of viruses. Conduct a penetration test of the target company's network, and interview managers and staffers to gauge the prevailing attitude about security and protecting data and intellectual assets.
  "Spend a lot of time learning about the company and its culture, where it does business, whether security [management] is centralized or decentralized, and how the company values security," says Bobby Gillham, manager of global security at ConocoPhillips in Houston, who headed security for Conoco during its 2002 merger with Phillips Petroleum. "Work closely with the other company's security manager to understand their security organization and its role in the organization."
  
  
• Assess the security practices and vulnerabilities of suppliers and other business partners that work closely with the merger or acquisition target, says Laura Koetzle, an analyst at Forrester Research Inc. Do the trading partners have adequate security in place for e-commerce, online procurement and Web collaboration?
  
  
• Remember that a merger can always fall through because of regulatory restrictions, stockholder disapproval or other reasons. "Companies have to be careful about releasing [security] information to the other organization, because if the merger is halted, there's no way you can get them to 'unknow' those things you've told them," says Koetzle. This is particularly critical if the merger partner is a competitor. "You can disclose the level of security you provide, but don't hand over all the keys to the kingdom in the early stages of a merger."
  
  
• Anticipate "social engineering" and other security threats from disgruntled employees at both of the companies involved. While experts say bad behavior is usually the exception -- most people are more concerned about finding a new job than harming the company if they believe they're going to be laid off -- it makes sense to be ready for anything. As soon as an employee has been notified about a layoff, cut off access to all critical services and applications. The IT staff should be trained and prepared to shut off employees' network access as quickly as necessary.
  "You need to pay particular attention to protecting against people walking out with proprietary information," Gillham says. "Sometimes people take things not to steal, but to show prospective employers the work they've done. You have to limit access to proprietary systems for those people you know are being downsized."
  
  
• During the integration/transition phase, get the two companies' security groups working together as soon as possible. Begin to identify which security technologies should be retained and which should be dropped, based on the security needs of the new organization. "There may be an opportunity to create [a new] security organization that has the best of both companies," says Gillham. "Compare the security expertise of both companies and look for opportunities for synergy in the integration process."
  
  
• Be sure to address how to handle secure communications, particularly if the companies are using different types of e-mail or virtual private networks for remote access. "That can be a hurdle; if the systems are not compatible, people may not be able to communicate with each other," says Nicholas Percoco, associate partner at Ambiron LLC, an information security advisory firm in Chicago. It may be necessary to change security technologies at one company to guarantee secure communications.
  
  
• If the target company turns out to be a security disaster and it's too late to get out of the deal, spend whatever it takes to quickly bring the company up to snuff, through new technology or upgrades of old products. Send in security experts or hire consultants to evaluate security, especially for the most critical systems and networks.

Read more about Security in Computerworld's Security Topic Center.