In the face of economic uncertainty, organizations seek new ways to mitigate business volatility. One way, for example, is to pursue a merger or acquisition (M&A), which can diversify product offerings while reducing competitive threats. An M&A can also help an acquirer add more technical talent and accelerate digital transformation.
However, companies undertaking M&As can face significant cyber security risks throughout the deal cycle. Integrations using traditional network merge can lead to ineffective, redundant systems — and put resources and data at risk. Alternatively, a modern M&A IT integration that applies Zero Trust principles can be a force multiplier to:
Minimize IT, security, and compliance risks
Lower ongoing costs and improve productivity
Speed up implementation of transformational technologies
In an M&A situation, each organization’s prior cyber security decisions and underlying IT systems impact the other. Attackers may target the data of the company being acquired or divested as a way to break into the larger acquiring company.
Take the US Federal Bureau of Investigation's (FBI) warning about ransomware actors exploiting M&A activity, for example. Attackers launch Trojan malware to specifically identify non-publicly available information that could (if published) disrupt a deal, then use the data as leverage to extort money.
One in three executives responsible for M&A functions at acquirer organizations has experienced data breaches “that can be attributed to M&A activity during integration.” A key factor is the expanded attack surface: as part of the process, sensitive files and data are shared digitally with multiple third parties. In one instance involving the $130 million acquisition of Graduation Alliance Inc., attackers compromised the M&A law firm’s email addresses to divert and steal payments meant for shareholders.
Even “completed” IT integrations maintain risk, such as:
Dormant vulnerabilities: If security postures aren’t identical at the time of integration, one could negatively impact the other. For example, attackers had already compromised Starwood’s guest reservation system before Marriott acquired the Starwood network of hotels. The breach went undetected for two years — leaving nearly 500 million customer records exposed.
Shadow IT: It takes time for the combined company’s employees to get familiar with the new, integrated processes and tools. During this transition, certain employees or departments may adopt unsanctioned applications, or fail to follow the new IT policies.
Regulatory implications: If either company is in a different region or industry with stricter data privacy regulations, extra caution must be taken to ensure data sharing compliance. For example, China’s Personal Information Protection Law (PIPL) has certain notification and consent requirements for personal data transfer in M&A scenarios; failure to comply can lead to penalties starting at RMB 1 million (approx. $149,000).
Past studies have claimed that between 70 to 90 percent of acquisitions fail. Organizations that prepare for new cyber threats and successfully navigate IT integration during a deal can avoid becoming another (failed) M&A statistic.
In a traditional IT merger, organizations attempt to connect users to every resource across two merging companies. This follows the “castle-and-moat” network security model (wherein no one outside the network can access data on the inside, but everyone inside the network can).
For instance, they might use firewalls to pass traffic between the two networks or merge two networks at an interim bridging point (i.e., multiprotocol label switching — MPLS — to connect data centers). Or new virtual private networks (VPNs) could be added to safely give new users access. In the past, this was sufficient because business applications were hosted on-premise within data centers, and workers were mostly in the office.
But in modern workplaces, employees from acquiring “Company A” and acquired “Company B” need options to securely connect to a near-endless combination of cloud-hosted SaaS applications and networks — from any device, and from anywhere. But if any one of those users or devices are compromised, the attacker could cross the proverbial “moat.”
In other words, when hybrid work environments converge during an M&A, a traditional perimeter-based approach is insufficient.
However, today’s IT and security leaders have the opportunity to rewrite the M&A IT integration playbook. A modern approach rooted in the Zero Trust security model ensures that all traffic in and out of the business is verified and authorized.
For instance, during integration, resources can be protected with Zero Trust Network Access (ZTNA) — the technology that makes it possible to implement Zero Trust security. Benefits of ZTNA include:
Reducing the risk of threats such as credential theft and phishing by requiring multiple authentication factors. Plus, microsegmentation (a Zero Trust component) also minimizes the damage if an attack does occur, by restricting the breach to one small area.
Integrating with multiple identity providers simultaneously, which accelerates authentication for external users (i.e., “Company B” employees and contractors), and allows authentication from a variety of corporate or personal accounts.
Granting access based on a user’s identity and context, with universal, granular policies — and protecting internal assets without adding riskier new VPN connections.
Leveraging Zero Trust facilitates internal access without the complexity of combining networks, ensures faster onboarding of transitioning employees, and secures “Day 1” access for all users. These all help organizations realize the benefits of a merge, faster — and in M&A, time equals money.
When two companies merge, they are under immense pressure to deliver ROI immediately. Bain & Co.’s analysis (based on tracking M&A activity over 10 years) found that 70% of process and systems integrations fail in the beginning, not in the end: “Speed matters a lot. In fact, according to our estimates, more than half of business synergies are often contingent on systems integration. Faster systems integration enables faster realization of those revenue and cost synergies and earlier introduction of new technological capabilities, as well as the ability to present a single face to the customer earlier.”
Yet attempting to combine corporate systems with a traditional network merge poses several challenges:
An extended integration period with months-long implementation steps, such as addressing potential network incompatibility and scalability issues, IP address overlaps, and other IT complexity.
Increased overhead from managing separate systems, maintaining obsolete (or redundant) applications, and higher technical debt (legacy hardware almost always requires more overhead to sustain operations).
Reduced productivity from activities such as spending more time adding, configuring, and maintaining new VPNs. And for remote workers, using cloud-based VPNs would add latency to every request between them and the network.
As an aggregation layer around all applications, ZTNA provides secure access for all users to authorized resources, while simplifying the implementation. For instance, ZTNA:
Makes it simpler to provide access to the new swath of users and devices accessing both companies’ resources and to data stored both inside and outside the network (e.g., disparate cloud environments). In many cases, no end user software is required at all.
Maintains employee productivity and connectivity, a critical factor considering that mergers often temporarily impact job performance and retention. Zero Trust offers less intrusive security checks, simplified authentication workflows, and faster employee onboarding/offboarding.
Improves technology efficiency by replacing redundant security services with a cloud-based Zero Trust platform. It also reduces the effort required to provision and secure new infrastructure (or fix vulnerabilities in legacy systems) and avoids pain points around IP conflicts.
Nearly half of M&A professionals are likely to pursue a divestiture (the sale or spinoff of a product line, division, or subsidiary) in the coming 12 months, according to a January 2023 poll conducted by Deloitte. However, just like other M&A strategies, divestitures also increase the possibility of attackers seeking access to sensitive data and trade secrets. They also increase the likelihood of misconfigurations and vulnerabilities as IT assets transition.
In a divestiture, the spinoff company has a greenfield opportunity to modernize. ZTNA technology is timely for the spinoff company to adopt during the IT transition period both to minimize technical debt and reduce the complexity of the transition itself. Because ZTNA verifies every individual request, it eliminates lateral movement from attackers. Applications and users from the divested business can also be offboarded efficiently due to granular Zero Trust access policies. This expedites the logical separation of the two resulting businesses and helps fulfill the terms of the separation agreement on time.
Through its ZTNA market analysis, IDC analysts rank Cloudflare as a Leader. IDC cites Cloudflare’s “aggressive product strategy to support enterprise security needs” as well as its ability to “support businesses at various stages of zero trust adoption.”
Cloudflare is the easiest path to simplifying IT integration with Zero Trust — making it efficient to protect critical applications and high-risk user groups (such as employees and contractors from the acquired company) on “Day 1”, then effortlessly expand Internet-native ZTNA to the rest of the business as it grows.
This article is part of a series on the latest trends and topics impacting today’s technology decision-makers.
Read the 2023 IDC MarketScape for ZTNA for a detailed analysis of the ZTNA market and how Cloudflare stacks up to 17 included vendors.
After reading this article you will be able to understand:
Common cyber risks associated with mergers and acquisitions
The complexity of traditional IT integration
The benefits of applying Zero Trust security