In the lead-up to the merger, disgruntled employees or those facing termination may decide to throw a spanner in the datacentre or leak sensitive customer information for revenge.
Most CFOs don’t expect to see cybersecurity on their due diligence checklist for mergers and acquisitions.
Yet cybersecurity – or a lack thereof – has massive implications for any deal: after all, the average data breach now costs organisations in the ballpark of $4 million, not to mention the potential damage to reputation and revenues when a breach goes public. These are risks that no CFO can afford to leave out of their assessments.
CFOs need to make cybersecurity audits a top priority if they want future M&A activity to succeed.
To do so, they should work with IT to understand what cybersecurity the target organisation currently employs; and how to integrate it with their own cybersecurity infrastructure and policies so that the threat of breaches remains minimal. Here are four tips for doing so:
Audit the network
Before the merger or acquisition gets underway, set a full network and systems audit as one of the transaction’s due diligence conditions.
The offices of the CFO and CIO should work together to review not only the technologies used by the target organisation, but the policies and processes that they’ve implemented to reduce cybersecurity risks.
Cybersecurity documentation can help the CFO identify how well the target organisation responded to previous threats in the past – and if this documentation doesn’t exist, that brings up its own questions of accountability and due process.
Stay vigilant
A significant number of cybersecurity breaches occur because of employee actions, whether deliberately malicious or simply carelessness. In the lead-up to the transaction taking place, disgruntled employees or those facing termination may decide to throw a spanner in the datacentre or leak sensitive customer information for revenge.
IT teams from both organisations, reporting back to the CFO and CIO, should work together to increase monitoring of networks, systems, and devices for potential malicious behaviour at this time.
Ditching existing infrastructure might seem counterintuitive to some CFOs, but it often proves far faster and less costly – and more secure – than trying to achieve cross-compatibility across myriad systems and devices.
Bring the teams together
Once that collaborative relationship looks relatively sturdy, task IT with aligning each organisation’s cybersecurity policies.
That involves deciding which processes and technologies to keep, discard, or transform – no easy task. If done well, however, cybersecurity alignment can prove a powerful shared goal that brings the teams as well as their defences into a stronger whole.
And when the CFO leads this process – putting the focus explicitly on risk mitigation and accountability, rather than specific technologies – IT teams are less likely to feel that they’re competing with one another.
Keep systems – and people – consistent
M&As give CFOs a golden opportunity for improving both infrastructure and policies.
During the cybersecurity alignment process, consider replacing incumbent systems with a single integrated platform.
Ditching existing infrastructure might seem counterintuitive to some CFOs, but it often proves far faster and less costly – and more secure – than trying to achieve cross-compatibility across myriad systems and devices.
At the same time, make the effort to rally employees together around cybersecurity best practices, even as you address their potential concerns about the merger.
Education, training, and even practical exercises like penetration-tests can not only insure the new organisation against inconsistent cybersecurity habits, but also build rapport and common ground between teams.
Maintain a positive tone and encourage employees to also provide honest, upfront feedback about the new policies: doing so strengthens both defences and the new corporate culture alike.
Despite some inevitable risks, M&A activity can benefit cybersecurity in the same way it benefits all other areas of operation: by pooling separate resources into a more cohesive whole.
If they do their due diligence and work with IT to keep defences strong, CFOs can rest easy when it comes to cybersecurity – knowing that it may even keep the deal afloat instead of sinking it.
Jon McGettigan is Senior Director, Australia, New Zealand and the Pacific Islands at Fortinet.
Send news tips and comments to divina_paredes@idg.co.nz
Follow Divina Paredes on Twitter: @divinap
Sign up for CIO newsletters for regular updates on CIO news, views and events.
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.