Presentation is loading. Please wait.

Presentation is loading. Please wait.

Information Security in Mergers & Acquisitions. Introduction.

Published byMagdalene Collins Modified over 9 years ago

Similar presentations

Presentation on theme: "Information Security in Mergers & Acquisitions. Introduction."— Presentation transcript:

1 Information Security in Mergers & Acquisitions

2 Introduction

3 Chris Conacher BAE Systems BAE Systems, Airbus Intel Corporation KPMG LLP Black Hat Consulting chrisc@blackhat.com

4 Key Learning Objectives Provide an understanding of critical Information Security risks within the Mergers & Acquisitions (M&A) process Provide an understanding of the need for Information Security in managing those risks Provide an approach that identifies key actions at various stages within the M&A process

5 General Learning Objectives Specific IS risks as they relate to M&A: Risk to your and the target organizations Risk in relation to phases of the M&A process Role of IS in managing risks: Preparation and development required Key questions IS should answer Key actions at key stages of the M&A process The different Phases in the M&A process

6 Relevance Sudden Change Profile Threat Model Form Sudden Impact Resources Mergers Acquisitions Spin Offs / Ventures / New Business Initiatives

7 Business Drivers Confidentiality Speed Business as usual Zero Impact Informed Business Decision on Risk

8 Risk

9 Threat in M&A Special Interest Groups – gain from M&A Financial Criminals Competitors Acquisition / Merger Company Disgruntled Employees General Interest Groups – gain from impact Everyone Else Script Kiddies Hackers / Crackers Hacktivists Terrorists Spies Your interest gets attacker’s interest

10 Risk Publicity and Profile Known Target due to impact on: Resources Technologies Infrastructure Confusion Absorption of “Soft Target” Disgruntled Employees One of the few times an Organization is really “shaken up”

11 Risk to You Change in threat model Change in risk model Impacting resources Absorbing unknown Disgruntled employees Creating new attack vectors Creating window of opportunity Business drivers can force this upon you very quickly

12 Are you equipped for change? Major overnight change in Threat Model Multi-site / Global Foreign Nationals Different technologies Different skill requirements Upgrade of data classification Ownership of intellectual property Ownership of controlled technologies Significant change in number of employees Legislative liabilities GLB, HIPAA, CA customers, etc. Do you know about the change?

13 Risk to Acquisition Change in threat model Change in risk model Impacting resources Absorbing unknown Disgruntled employees Creating new attack vectors Creating window of opportunity Business drivers can force this upon them very quickly Are they equipped for change Your interest gets Attacker’s interest!

14 Decisions Impacting Security Integration approach Absorption  Complete – protection against external threat  Zero – protection against internal threat Access Centralizing systems Integration deadlines Integrating custom applications Integrating new technologies Anything that annoys employees Re-Location

15 Importance of Confidentiality Premature Disclosure of Intent Loss of Key employees Bidding wars SEC Liability Loss of Initiative Loss of Goodwill Target Company 3rd Parties relationships Customer relationships

16 Importance of Availability Loss of Goodwill Loss of Reputation Customers 3 rd Parties Employees

17 Risk Management

18 Role of InfoSec in M&A Allow informed business decisions Risk & Risk Management Target Company value / cost / impact Protect Acquisition process confidentiality Protect your Organization from External threat using process impact Internal Target Company threat Protect Target Company from External threat using process impact Internal Target Company threat Protect Target Company assets Enable secure integration Minimize cultural impact Long Term security

19 InfoSec – Negative Impact Problems Time Cost Scares / Annoys Employees Feared Cultural Impact Solutions Preparation Early Involvement Clear distinction between Long & Short term solutions Costs may be tax write-off Education

20 InfoSec – Positive Impact Protects your negotiation position Protects liability (SEC) Protects what you are buying Additional skill-set in Due Diligence Liability - Legal Infrastructure cost – IT, Facilities Risk – Information Security Information Asset Confidentiality / Integrity Audit depth – Skeletons 3rd party involvement Assess additional long term costs

21 Basic Security Strategies Current backups of all critical data and verify before sign-off Sanitize the environment Treat target company as 3 rd party Separate and secure all critical data Separate and secure all critical systems Migrate custom applications to COTS Identify key employees Mitigate risk through contracts Contract short term staff

22 Non-Compete Agreements 10 year Date of leaving Identify key individuals and require them to sign on the spot – make it a deal breaker Sign up whole family if necessary Make employee non-competes under the laws of a state that will enforce them

23 Policies Safeguards against Disgruntled Employees New employee contracts Are your policies relevant? Are you ‘dumbing down’ their security? Existing employee contracts Do they protect you? Do they meet new relationship? Identify key policies – yours / theirs Work with legal

24 6 Phase Approach Pre-Target Target Due Diligence Sign-Off Integration Post Integration

25 PhasePre-TargetTargetDue Diligence Sign-OffIntegrationPost- Integration ThreatCriminals Competitors Criminals Competitors Acquisition Criminals Competitors Acquisition Disgruntled Employees Criminals Competitors Acquisition Disgruntled Employees Everyone Else AssetYours Yours/Theirs AttackCCCCIA Phases & Threats Threat Profile Low High

26 Pre-Target Phase Develop support for InfoSec’s involvement Secure your environment Educate M&A team regarding risks Secure M&A processes, systems and data Provide specific tools & training Develop key policies Acceptable use Discuss integration solutions with IT Define rolls and responsibilities within M&A project team Develop communications processes Foreign nations impact Infrastructure difficulties Communications Restricted Technologies Be ready to roll

27 Information Security Toolkit Audit Baselines Security Awareness training materials What, why, who and how Fundament security mechanisms Password distribution Bolt in technological solutions Secure server Firewall Anti-Virus Physical security solutions Cryptographic solutions Replacement COTS

28 Target Phase Understand the Business Modify toolkit Modify solutions Communicate potential areas of risk Special considerations

29 Due Diligence Phase Determine location of Key Assets Porous Perimeter Laptops, home workers, 3 rd parties Determine security of Key Assets Determine perimeter Identify key processes, systems and assets Identify Key Employees Determine Employee terminations Prioritise actions Report potential risks to senior executives Detailed audits can be disguised Agreement on baselines allowing integration

30 InfoSec should determine The risk to your Organization Confidentiality, Integrity and Availability of the target Assets Major risks to the target Assets Methods for short term protection Methods for long term protection Financial cost Resource cost Relevance of existing safeguards Applicability of policies

31 Sign-Off Secure key processes, systems, assets Back-Ups Secure server Firewall Anti-Virus Patches / Updates Internet facing systems Employee contracts Non-Complete Agreements

32 Integration Secure project team deployment Intra-Company communication defined Deploy security training Sanitizing the environment Applying security patches, Viruses, Trojans, Backdoors, Insecure code Migrate applications Migrate data Short term safeguards Policies Secure server Integrate when ready

33 Securing the Project Team Education Physical Security – On acquisition site Controlled access – Equipment, files Personal printer, fax, phone Logical Security VPN Dial-Up – Care using Target network Encryption – Network, Email, Disk Secured laptops Voice Communication Use Cell Phones

34 Post-Integration Prioritise Assets Systems Processes Complete Audits Analysis Safeguard deployment

35 Summary Develop InfoSec involvement Understand the Threat Be ready to go Understand Phase implications Inform Organization of specific risks Identify & Secure key processes Identify & Secure key property Distinguish Long & Short term solutions Develop drop in solutions Avoid Cultural impact Avoid Business impact

36 Questions?

37 Black Hat contacts Chris Conacher Black Hat Consulting chrisc@blackhat.com + 1 503 998 6416 Jeff Moss President & Founder jmoss@blackhat.com + 1 206 790 3628 Michael Bednarcyk CEO Black Hat Consulting michael@blackhat.com + 1 800 620 4638 General Information www.blackhat.com info@blackhat.com Fax: + 1 206 219 4143

Download ppt "Information Security in Mergers & Acquisitions. Introduction."

Similar presentations

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.

CS898T Mobile and Wireless Network Handheld Device Security By Yuan Chen July 25 th, 2005.
Indicator 3.02 Use communication skills to foster open, honest communications.

Indicator 3.02 Use communication skills to foster open, honest communications.
4 Information Security.

4 Information Security.
Ethics, Privacy and Information Security

Ethics, Privacy and Information Security
Chapter 13 Communicating the Opportunity. Objectives Target the business to investors. Prepare oral and visual presentation for investors. Investor evaluation.

Chapter 13 Communicating the Opportunity. Objectives Target the business to investors. Prepare oral and visual presentation for investors. Investor evaluation.
Mergers & Acquisitions The real success factor 1 + 1 = 1,5 or 2,5? 1.

Mergers & Acquisitions The real success factor = 1,5 or 2,5? 1.
Organisational policies

Organisational policies
Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.

Management’s Role in Information Security V.T. Raja, Ph.D., Oregon State University.
Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.

Risk Management a Case Study DATALAWS Information Technology Law Consultants Presented by F. F Akinsuyi (MSc, LLM)MBCS.
I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.

I NDULGENC E There is no need for oversight or management direction. All staff members are superstars and act in the best interest of the company.
Secure Computing Network

Secure Computing Network
Chapter 12 Strategies for Managing the Technology Infrastructure.

Chapter 12 Strategies for Managing the Technology Infrastructure.
Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.

Contact Center Security Strategies Grant Sainsbury Practice Director, Dimension Data.
Stephen S. Yau CSE 465-591, Fall 2006 1 Security Strategies.

Stephen S. Yau CSE , Fall Security Strategies.
Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.

Brian Bradley.  Data is any type of stored digital information.  Security is about the protection of assets.  Prevention: measures taken to protect.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.

IT Security Readings A summary of Management's Role in Information Security in a Cyber Economy and The Myth of Secure Computing.
M&A Toolkit for HR 06/04/08.

M&A Toolkit for HR 06/04/08.
Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.

Developing a Security Policy Chapter 2. Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine.
Business Acquisition Process Implementation & transition Closing Negotiation of the transaction Due Diligence Engagement TargetIdentification.

Business Acquisition Process Implementation & transition Closing Negotiation of the transaction Due Diligence Engagement TargetIdentification.

Similar presentations

Ads by Google