The Importance of Data Security and Insider Threat Programs in Mergers and Acquisitions
Mergers and acquisitions have become an important part of many organizations’ growth strategy. In most large transactions, countless hours are spent on due diligence, whether that due diligence is related to the financial health of the company, compliance with applicable regulations, or a variety of risk factors. Refreshingly, cybersecurity has emerged as a risk factor that is getting significant attention as part of the due diligence process. However, there is a key aspect of cybersecurity during the process that is often overlooked, and that is data security. Specifically, data security before, during and after the transaction, not necessarily assessing the existing data security program as part of a risk assessment/due diligence exercise.
The key point to remember when you are acquiring a company in the developed world is understanding the primary motive of the acquisition. There are essentially three factors that often go into an acquisition with respect to what drives value in the organization. You are either looking to acquire Intellectual Property owned by the organization, their market position, whether that manifests itself in terms of a client base or a reputation for excellence in a specific area, or finally, for human capital. The first two factors directly relate to data security in terms of maintaining the value of the acquired organization. What are you really buying if the intellectual property and client lists are stolen during the process?
It is common for employees of both the acquiring and the acquired organizations to become nervous and start looking for jobs on the open market at the time of an acquisition, especially those that know there is a similar function to theirs in the other organization and their job role has the likelihood of becoming redundant. Those individuals present an increased data security risk as employees exiting the organization tend to be the most prone to intentional data theft. These actors range from insiders taking copies of their work product and unknowingly compromising sensitive information to individuals who intentionally steal information in order to make themselves more attractive to a competitor, or to enable themselves to start a competitive organization. Regardless of motivation, it is important to put data security safeguards in place before news or rumors of the acquisition become widespread.
Defining Critical Information Asset Life Cycles
The first step in any data protection program rooted in content analytics, frequently associated with Data Loss Prevention (DLP) technologies, is to define what information is critical to the organization, or in this case, to the transaction. This process is more difficult in organizations that are operating in a business as usual manner, because often, people don’t think about critical information assets on a daily basis. However, those involved in an acquisition should be acutely aware of why they are looking to acquire a company. Defining the data associated with the “Why?” should be a relatively straightforward process.
Once the critical information assets are defined, the first step in defining a critical information asset life cycle is complete. You have essentially defined the content you are trying to protect. The next step is to define the community of users who interact with that content and the ways in which each group of authorized users interacts with that content in an authorized manner. Defining these processes is much more in-depth and delicate work, potentially requiring engagement with an organization that has experience building such programs. Now that the critical assets are defined and the business processes associated with them mapped, evaluating and implementing technologies to protect them is the next logical step.
Note: In many cases, technologies to support the following use cases are deployed in one or both of the organizations. In those cases, simply extending the program to fill any identified gaps may be the best course of action.
Data Classification and document tagging offer organizations a method to operationalize a data classification program. With respect to data relating to a merger or acquisition, defining all of the data elements and communications that should be protected may be difficult, especially since the information is likely to be unstructured. As such, building a data classification schema that allows users that are part of the acquisition team to classify their documents and have them appropriately protected is important.
It is also important to ensure that any new classifications related to an acquisition are not exposed to the wider organization. We certainly do not want the technologies used to prevent leaks of information to actually become the source of these leaks. One solution many organizations use is a generic classification like “Internal Use Only” with a sub-classification with project code names available only to those associated with those specific projects. This type of strategy would require the data classification product to support multiple levels of classification. It is important to ensure the product selected will meet these specific requirements if this is the chosen strategy.
Data Loss Prevention (DLP)
Data Loss Prevention programs should be an important part of any organization’s security program. At this point, organizations who suffer breaches that do not have appropriate DLP programs in place are often considered to be willfully negligent, especially in the United States, where DLP technology is well understood and widely adopted. Not all DLP programs are effective, but having the technology deployed offers organizations an advantage when entering into an acquisition.
The first step in an effective DLP strategy during a merger or acquisition is to prevent news of the acquisition spreading prior to the announcement. Therefore, any documents or communications related to the acquisition should be protected and restricted to the individuals who have a need to know. This type of protection is much easier to achieve if there is a good data classification program in place.
The next step is to extend protections to the entity being acquired if necessary and to put policies in place to protect the types of information that have been deemed critical. It is important to maintain a holistic view of the information as it is being stored, used and transmitted. Often, Data at Rest (DAR) scanning projects are conducted in order to build an inventory of where this information is located throughout the organization in order to build appropriate controls to protect that information.
Cloud Access Security Brokers (CASBs)
Increasingly, cloud storage sites are becoming the preferred method of data exfiltration. Whereas it used to be common to find users saving information to a USB storage device, from InteliSecure’s observations, it is far more common for information to be saved to a cloud service, whether it be the Drafts folder of an email service like Gmail or saving something to a Box or Dropbox account and then accessing the information remotely. Anytime an organization wishes to protect itself from data exfiltration, monitoring data flowing to and from sanctioned and unsanctioned cloud applications is an important part of the puzzle. Increasingly, enterprise-class DLP providers like Symantec, Forcepoint, and McAfee are offering CASB solutions that allow organizations to extend their DLP policies and controls to a point of presence in the cloud. These types of solutions make data security efforts, especially related to mergers and acquisitions, significantly more efficient and effective, both in terms of implementing the solution as well as in terms of streamlining the ways in which the information is reviewed and potential threats are identified and mitigated.
Insider Threat Programs
Technologies that analyze user behaviors in an effort to identify potential insider threats are increasingly becoming available to the commercial marketplace. These programs are more difficult and costly to deploy on a temporary basis both during and immediately after a due diligence period, but in some cases, may be necessary. This is especially true when one of the organizations has extremely valuable or widely publicized intellectual property.
If these types of solutions are already in place, expanding their scope to monitor users in the organization that is being acquired may be an important step to identify changes in behavior as more information becomes publicly available. Monitoring changes in behavior can be valuable not only for identifying users that may compromise data, but also for identifying which users may be more difficult to retain than others, especially if a large part of the acquisition was based on acquiring human capital.
Mergers and acquisitions can offer an organization great opportunities to grow and expand their capabilities. There has been much written about cybersecurity as part of the risk evaluation and due diligence process, which is a good thing. Please also have an understanding of the informational assets that contribute to the value of the organization being acquired as well and be prepared to protect that information, as doing so is truly protecting the organizational value you are trying to acquire.