M&A activity always seems like a good idea at the time yet, despite the best intentions of the parties concerned, it’s far from certain that the new entity will live-up to expectations.

In today’s hyper-connected, mobile-led business environments, with organisations that are full of many moving parts and a plethora of technologies, this translates into big IT security risks when two organisations are trying to become one.

It’s essential, therefore, that the combined entity conducts thorough due diligence if it’s to have a fighting chance of realising the full benefits and opportunities that prompted the merger in the first place.

It’s no doubt a daunting prospect, but organisations that follow these three steps will reduce the IT security risks of M&A:

1. Conduct a technology audit

Companies today have a hard-enough job keeping-up with the latest technologies, let alone managing the integration of separate (new and legacy) systems and data sets that sit within the two merging entities.

Organisations of all types and sizes face more security challenges and external threats today than ever before. At the same time, regulators and compliance requirements have created a greater sense of urgency.

Australia’s Notifiable Data Breach (NDB) regulations, Europe’s General Data Protection Regulation (GDPR), and the Payment Card Industry Data Security Standard (PCI DSS) have all raised the stakes even further.

Not only can security breaches affect business continuity, but they must also now be flagged by companies that fail, which then erodes trust with customers and business partners; Australia’s NDB laws also stipulate heavy fines.

It should be the top priority of the CIOs and other senior executives leading the two merging organisations to conduct a thorough and rigorous audit of all security technologies in place. The best way to do this would be to conduct a SWOT analysis for each organisation involved, enabling them to identify their security maturity. Questions to be asked include:

  • What firewalls have been deployed?
  • Are intrusion detection solutions present at all contact points?
  • Have the appropriate access controls been deployed?
  • What is running in each environment?
  • What are the security compliance obligations?
  • What’s the superior solution at your disposal?
  • How can a unified, secure hybrid environment be created that will support future growth?

It’s a lot to think about all at once, but it’s just where the start.

2. Conduct a staff audit

Like it or not, the majority of security breaches are the result of either human error or oversights, such as poor training and/or communication.

For cyber criminals this creates plenty of low hanging fruit to employ so-called ‘social-engineering’ practises that prey on people’s vulnerabilities, such as the impulse to open emails and attachments distributed as part of phishing attacks. These are typically designed to dupe people into visiting bogus websites, and revealing user names, passwords, financial information and other sensitive data.

In fact, recent studies have shown that, on average, over 15 percent of staff have been duped by phishing scams, with some revealing alarming numbers up to 30 percent.

It’s important, therefore, for a newly merged organisation to understand who everyone is, what they do, and how they go about their general days at work. From there they need to plan, structure and roll-out effective training and education programs tailored to specific staff and the departments they work across.

In this situation, one size does not fit all.

3. Conduct a processes audit

Although companies may not think of their day-to-day operations in terms of being processes, they are its beating heart.

Just like people, no two companies will have the same way of operating, even if they’re doing similar things in the same market.

The reasons are pretty obvious, yet this is an area that is rarely given the attention it deserves despite being critical to ensuring business continuity when two organisations merge.

Doing a processes audit is probably harder than the ones needed for technology and people because they’re both more tangible and visible.

For starters, it requires full cooperation and participation across the entire organisation. Senior executives need to work closely with CTOs and IT managers to investigate methodically how all of the technology and human assets work together at each of the companies planning to merge.

Once this is achieved, people with the appropriate expertise, oversight and authority must decide which processes should be kept, amended, or discarded.


After addressing these three core pillars, the next task is to distill all of the information, insights and recommendations into the one, centralised and dynamic security register and then create a security strategy, road map, and framework that will enable them to move forwards, safely.

Brennan IT recently launched its own dedicated IT security consultancy designed to help Australian organisations of all kind identify their own vulnerabilities and needs, and we’re able to help you to chart the best way forward for new entities to flourish in the wake of M&A activity.

Not sure what you need?

Different businesses have different needs.
Find out which products meet your needs.