I recently wrote about yet another subsidiary of United Healthcare Group that was breached in a cybersecurity incident. I thought I’d cover how difficult it is to secure companies that have grown through M&A.

If you work in corporate America, chances are mergers and acquisitions (M&A) affect your work whether you want them to or not. At some point, a company becomes so successful that it saturates its growth opportunities in its core product. When that happens, the easiest way to add new revenue streams is often by acquiring or merging with another company rather than building something internally.

Every merger or acquisition includes a due diligence process to verify that the companies involved are what they claim to be. Among the many items reviewed is the cybersecurity posture of the target company. In an acquisition, this is typically a one-sided review. However, cybersecurity is rarely prioritized highly enough to stop a deal. It is unlikely that an M&A transaction will fail solely because of cybersecurity risks.

That means if you are responsible for cybersecurity during the M&A process, you should be prepared to make it work, one way or another.

After the deal closes, there is usually an “earn-out” period during which the acquired or merged company continues to operate as usual. During this time, security leaders from both organizations must work together to create a plan to merge the two networks and security operations into a single environment.

This is when gaps appear, and they can be costly if overlooked.

Knowledge gaps

One of the hard realities of M&A is redundancy. When two companies combine, fewer staff are needed. Morale is often low during the transition, and employees who know they may be leaving are not always motivated to help. Knowledge transfers frequently leave holes, and it is not uncommon to discover a server or device months later that no one understands because the person who knew about it was let go. You cannot secure what you do not even know exists.

Data gaps

Even in well-run IT environments, documentation is rarely perfect. Do you have a full inventory of internal and external IP addresses? Are you confident that your vulnerability scans cover all of them? Can you produce an accurate list of servers and their patch statuses? How certain are you that the list is complete? Or will you stumble upon virtual machines that were forgotten? These are common issues that must be addressed during the integration.

Technology gaps

One company uses Gmail, while the other uses Microsoft 365. One side has Palo Alto firewalls, and the other uses Cisco. Eventually one approach has to prevail, but sometimes companies try to maintain both at least for a while. When technology stacks do not align, users and administrators both face a steep learning curve with unfamiliar tools and settings, which increases risk.

Configuration standard gaps

Even when two companies use the same technology, the way they configure it can be very different. Over time, each IT team develops its own practices, and administrators are often very opinionated about the “right way” to do things. To maintain strong security, consistent configuration standards need to be established and enforced. This can be challenging but is critical.

When you look at many of the high-profile breaches in recent years, it is hard not to wonder how many were caused by weaknesses introduced during the M&A process. Large organizations often have dozens of past acquisitions layered into their operations, each with its own IT department and its own bad habits. Without a disciplined approach to cybersecurity in M&A, security hygiene can quickly erode.