The ICO just announced its intentions to fine Marriott International, Inc. more than $124 million for failing to protect customer data during and after its acquisition of Starwood Hotels (where the breach originated). The ICO investigation found that Marriott failed to perform sufficient cybersecurity due diligence when it bought Starwood and didn’t secure its systems.
“The GDPR makes it clear that organizations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making an acquisition.”
- Elizabeth Denham, Information Commissioner1
In Part 1 of my new series dedicated to M&A IT security, I’ll dive into the common mistakes that can sink an M&A and the expected cost synergies pre- and post-Legal Day One.
Common M&A Security Mistakes Pre-Legal Day One
It’s important to remember that 50 percent of expected cost synergies of an M&A – you know, those $$$ reasons you do an M&A in the first place – comes from IT integration. When so much money and potential revenue is on the line, many organizations hyper focus on achieving that as quickly as possible, making crucial IT integration mistakes along the way.
After a deal has been inked but before it closes, one of the biggest rush mistakes is establishing an Active Directory trust before performing a cybersecurity analysis. Everyone wants to get employees from the two organizations working together and sharing resources – the quickest way to do that is to set up the AD trust between domains. However, creating a trust with another domain creates a pathway for anyone in that domain — including a malicious insider or a compromised account — to traverse laterally into your environment. Before you take that risk, you need to thoroughly review the security policies and procedures in place in the other AD domain and have a plan for how to monitor users and resources in this trust.
Find more Pre-Legal Day One security pitfalls in this ebook: How Mergers and Acquisitions Impact Data Security.
Common M&A Security Mistakes Post-Legal Day One
On the way to Legal Day One(LD1) goals of basic communication and interoperability, IT teams often have to make some compromises, such as leaving legacy systems in place and using workarounds to enable the associated workflows; all those shortcuts need to be cleaned up. And of course, there’s still all the work that was beyond the scope of LD1, such as various server, application and workstation migrations.
One of the riskiest Post-Legal Day One security overlooks sits within those hard to integrate legacy applications. Moving legacy applications, especially home-grown applications that are AD-dependent, often seems not to be worth the effort. Because of the work and complexity involved, organizations opt to leave the old directory in place to work with the legacy environment and set up some sort of coexistence between the old AD and the primary AD. But it’s almost inevitable that the old AD will get out of sync with the primary AD, or the old servers won’t get patched properly — leaving you with security gaps that can be exploited by insiders and intruders.
Complexity breeds risk – just ask Equifax. The U.S. House of Representatives Committee on Oversight and Government Reform put it best: “While the acquisition strategy was successful for Equifax’s bottom line and stock price, this growth brought increasing complexity to Equifax’s IT systems, and expanded data security risks.”2
Find more Post-Legal Day One security pitfalls and learn how to protect your organization during an M&A IT integration in this ebook: How Mergers and Acquisitions Impact Data Security.
Quest Repeatable M&A Framework
We know IT integrations of an M&A aren’t easy or small. While each M&A is different, the methodology doesn’t change. Your chance of success for an M&A is much higher when you implement repeatable processes. Quest offers a complete and repeatable software and services framework for M&As from Day 0 IT Due Diligence, to Day 1 IT integration and Day 2 ongoing management and security.
Don’t complicate your M&A IT integration further by using multiple products from multiple vendors. Standardize on a partner with the tools and expertise to offer a multitude of flexible approaches for Day 1. Quest delivers a repeatable framework that allows you to become familiar with a set of solutions, and a single support and services team.
Read the rest of the series here:
- Part 2: Lessons learned from the Equifax and Marriott data breaches
- Part 3: How to protect your next M&A
- Information Commissioner’s Office, “Statement: Intention to fine Marriott International, Inc. more than £99 million under GDPR for data breach,” July 2019.
- U.S. House of Representatives Committee on Oversight and Government Reform, Majority Staff Report, “The Equifax Data Breach,” December 2018.