At the heart of any merger or acquisition is the serious question about the nature and quality of the target’s physical and technical security system. This means you have to spend some time reviewing current security protocols, to make sure whether you will have to overhaul the IT security team or just rely on your staff to take care of the two newly merged entities.
A Review of Physical Security
You need to know what you might be getting into before committing to a merger. Begin by learning what types of physical controls the acquisition has in place. A tour of the facilities with the Chief Security Officer would be in order. As you make your way around the grounds, see if the facilities appear to be accessible to the public. A more important question is whether the target is controlling access to its data center.
In case of a breach, is the staff of the acquisition prepared and trained on various physical security procedures?
Review Technical Security
If the acquisition has documented all technologies in place and the standards for using them, it will be easier to see where there are gaps that need to be addressed during the merge.
- Network Diagrams: Check these as soon as possible. Look for holes and ask questions about anything that doesn’t look quite right to your own information technology security team.
- Access Controls: How does the company control who gets access to what information? Their control system should be supported with regular audits to see who is trying to sneak in.
- Firewalls: You’d be right to wonder who manages the rules of the security system, including the firewalls. When you find out, you’ll need to determine if that person should stay on, or if perhaps, his or her counterpart in your company will fill this role, going forward.
- IDS: Learn whether the acquisition has an intrusion detection system or IDS in place. Most modern organizations with a presence on the web can expect that hackers will routinely try to penetrate their networks. If the target lacks an IDS, now would be a good time to figure out how you will implement one for the two merged organizations.
- Web Sites: It’s likely the target has a website already, and this is trivial to find out. Once you review the site, ask the acquisition who is in charge of administering the site and its servers.
- Anti-virus / Anti-malware: Up-to-date anti-virus and anti-malware software needs to be running on all the machines in your organization. If the target does not routinely use these preventative measures, some education on the topic will be in order.
- It would be a good idea to find out who manages the anti-virus process, and ask how frequently they update software and definitions. This will give you a rough idea of how seriously the target’s team takes their security responsibilities (or at least how much they were budgeted to take care of this issue).
- Encryption: Savvy leaders of mergers and acquisitions will find out what types of encryption are in place at the target. They will also verify which critical systems are encrypted, such as email, hard drives and servers.
- Vulnerability Assessments and Penetration Tests: You’ll breathe a sigh of relief if the target company confirms that it has performed vulnerability and penetration testing at some point during the previous 12 months.
- Incident Handling: How the acquisition typically responds to security incidents can set the tone for how your two IT departments work together. Here, your chief inquiry needs to be about how you can integrate your monitoring and incident response capabilities.
At the top of your checklist is the question of whether the company has a defined incident response procedure in place? Well prepared companies won’t be knocked out by hacker attempts like their inexperienced counterparts may very well suffer. In addition, when did they test their incident response capabilities, and what were the results? When is the next test scheduled?
Help With Assessing an Acquisition’s Physical and Technical Security
It’s difficult to ignore just how important it is to review the physical and technical security of any company that you are planning on merging with or acquiring. However, if you have limited time and resources to carry this out or if you simply would like to have someone with more experience guiding you, the team at Intrinium is standing by to assist.