Avoid security breaches during reorganis​ation and mergers

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.scmagazineuk.com/avoid-security-breaches-during-reorganisation-and-mergers/article/381130/

When companies reorganise or are brought closer together through merger or
acquisition, the primary focus will nearly always be on the financial and
legal aspects of the process, and questions over security are usually low
down on everyone's list of priorities.

More often than not we all – company employees and customers alike –tend to
assume security will simply ‘adapt' when these moves and changes take place.

However, businesses need to be aware of the huge range of headaches that
can occur, and the increased potential for catastrophic data loss or theft
– which could have a direct impact on brand reputation, customer
satisfaction, and, ultimately, your bottom-line.

In the case of a reorganisation, merger, or acquisition, companies need to
tread carefully and put security near the top of the agenda from the
earliest possible stage of the process.

So what can be done?

Rather like ensuring that your home is able to endure all weathers, there
is a need to start with the foundations – check they are secure, and
continue to re-check them regularly.

With regard to data security, this means knowing exactly what data you
have, classifying it into tiers, and creating a clear policy for each tier,
with each tier assigned to a specific individual. Once such a policy is in
place, the individual responsible needs to ensure it is regularly reviewed
and certain data re-classified, which will mean that its access rights must
be amended.

With a policy in place and appointed an ‘owner', all levels of
reorganisation can be handled with the appropriate and necessary care – or
at least far more effectively than normally occurs.

A single staff reassignment may seem insignificant, but even this must be
handled with care. At the most basic level, staff are constantly moving
within an organisation. The policy needs to cope with such changes and make
sure that an individual's need for, and access to, specific data is
reassessed and changed appropriately.

The need for transparency

But beware! If the policy is not clearly understandable, simple, and
relatively easy to implement it may not be accepted by everyone. Some staff
who have been reassigned will find ways round their new privileges – most
notably by saving data on mobile devices such as phones and laptops. A
relatively innocent attempt on their behalf to hang onto data can in fact
be the first step towards a significant security breach.

However,the time wasted explaining and clarifying policy can be reduced if
a clear policy is in place beforehand, with high-level support from Human
Resources and senior management. In this way, staff will be able to refer
to the policy themselves, and also to anticipate changes that will be
enforced.

A joint solution

When the likes of ‘Mega Corp' merges with ‘Global Domination Inc', you can
be sure there will be those who are worried about facing job cuts. Less
noticeable however, is that an effective security policy can be another –
albeit silent – casualty of these shifts.

Wise heads realise that huge reorganisations are often a real headache for
security, not least as the dominant player will nearly always try to impose
their own security policy on the smaller of the two companies.

Yet, from experience, we know that policy imperialism like this will lead
to resistance, and, worse still, non-compliance. Staff from the smaller of
the two companies will be wary and defensive at the best of times; and
being told their current security policy is redundant will lead to
increased suspicions and perhaps distrust – an atmosphere that can have
very serious consequences for a newly-merged company.

The only answer is a hybrid policy that takes the best practices from both
organisations, based on a clear and realistic understanding of the new
situation. Such hybrid policies—with regular reviews—invariably get better
buy-in, and better stand the test of time.

Just as builders are still happy to build on flood plains, some
organisations are still happy to ignore the warnings, preferring to deal
with the consequences. But security should not be reactive, and should be
the built into mergers, acquisitions and reorganisations from the very
start. It should be policy-driven as a result of careful analysis and
on-going review.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!