Reducing Risk During Mergers and Acquisitions

A checklist to create cross-company visibility of all systems

Mergers and acquisitions activity among the world’s largest companies has been on the upswing since 2014 with Dow and DuPont making headlines last week as the latest blockbuster merger, following names like Starwood and Marriott and AT&T and DirecTV.

Acquiring companies face a long list of risks that must be assessed and carefully accounted for during due diligence: financials, litigation, intellectual property and regulatory matters all represent the potential inherited impact on a business. And when you buy a company, you buy their data. Today, disparate security and IT operations practices between companies represent a growing concern for acquiring corporations, and with good reason: it’s rare for both companies to have the same standards for cybersecurity, data centers, asset management and IT policies, like bring-your-own-device. In fact, threats might already have infiltrated the acquired company’s endpoints and they don’t know it — leaving companies exposed to future data compromise, fines and loss of trust with customers.

The business of aligning the IT operations and security functions of two companies is a massive operation, and the goals are generally universal: find synergies that drive cost reduction and understand and contain the acquired company’s threat matrix. The following is a checklist of the top four priorities team should immediately focus on when performing M&A due diligence:

Identify synergies

1. Inventory hardware and software assets to drive machine and license consolidation strategy
2. Consolidate servers and ensure full server utilization
3. Distribute new software and required applications
4. Eliminate redundant point solutions at both organizations in favor of a platform that can simplify and streamline infrastructure

Containing threats

1. Use unmanaged asset scans to proactively monitor for rogue assets, BYOD and actively deploy endpoint management
2. Scan endpoints to ensure that vulnerabilities don’t already exist on acquired endpoints, and investigate and remediate exposures
3. Standardize data center management tools and ensure that all VMs are under proper management
4. Ensure the hygiene of the acquired companies endpoints

Tanium can manage each of these for clients facing a merger or acquisition — deploying on average 10,000 endpoints a day during due diligence. If critical, Tanium could be deployed in a matter of hours, within a day.

Another aspect to keep in mind: the cybersecurity practices of the partners and advisors your company contracts with during the due diligence period. The rise in M&A activity has provoked a rash of hackers infiltrating law firms, investment companies and real estate companies to gain access to confidential information regarding company takeovers. BusinessWire announced this week the hiring of a chief information security officer following the discovery this summer of a hack at the press release distributor. The Securities and Exchange Commission charged 32 people this summer with hacking press releases on top wire services and trading on their not-yet-public information.

---

Interested in seeing Tanium in action? Schedule a one-to-one demo or attend our weekly webinar. Talk to our Tanium experts at our upcoming events.