With the current “micro-economic” climate that every has been beaten to death by there has been an incredible shift in venture capital and startup funding. While the term “zombie startup” has been coined the real effects have yet to significantly hit the space. There is an incredible opportunity for acquisitions to increase revenue, capability, and customers. As the early stage startup landscape continuous to evolve, there are important IT and security risks to consider.

Key IT Considerations

  • Assess the target’s IT infrastructure. This includes understanding the target’s network, systems, applications, and data. The acquiring company will need to ensure that the target’s IT infrastructure is compatible with its own, and that it is adequately secure.
  • Perform due diligence on the target’s security posture. This includes reviewing the target’s security policies, procedures, and controls. The acquiring company will need to ensure that the target’s security posture is adequate, and that it meets its own security requirements.
  • Plan and execute the integration of the two IT infrastructures. This includes migrating data, applications, and systems. The integration process must be carefully planned and executed to ensure that it is secure and efficient. It is important to understand the culture, and characteristics of the organizations through the merger.

Key Security Considerations

  • Data privacy and security. The acquiring company will need to ensure that the target’s data is protected in accordance with applicable privacy and security laws.
  • Compliance. The acquiring company will need to ensure that the target is compliant with all applicable industry regulations.
  • Risk management. The acquiring company will need to assess and manage the risks associated with the acquisition, including the risk of data breaches, cyberattacks, and other security incidents.
  • Data breaches. The acquiring company needs to review logs to ensure there are no indicators of compromise, revew access logs or suspicious activity, and ensure user permissions can be mapped to vendor applications and integrations.
  • Insider Threats. As soon as possible the acquiring company needs to ensure data is protected. This is especially the case if not all of the employees are being retained. Data exfil, bulk queries from shared drives or databases should be documented and legal should be included.

There is a lot to consider when merging companies. Logging, AuthN, AuthZ, attack surface, as with everything take inventory, document the final steps, identify the specific steps to get there. Not everything is going to be smooth. Before starting the trasition it is important for your company to have an incident response plan in place and practiced.

I hope this blog post has been helpful. If you have any questions or comments, please feel free to ask.