Mergers and acquisitions (M&A) are very common across industries today, including healthcare. Integrating companies can be challenging, and if executed without proper due diligence, can greatly increase information risk at both companies.
Not all companies choose to integrate newly acquired entities, and choose to leave them to operate as separate entities with their own boards, officers and security programs. For those that choose to merge the entities to gain efficiencies, time is of the essence as the longer it takes to reach those efficiencies, the less value they capture to return to shareholders or company operations.
From an information security standpoint, there are a lot of questions that need to be answered to begin the process of integration:
- For example, what is the risk posture of both entities?
- Which has a more mature security program?
- Have they hardened their technical environment from the inside-out or the outside-in?
- Are there security and privacy risk assessments that have been completed recently that identify focus areas for the security program?
- Have third party audits or compliance assessments called out deficiencies that elevate the regulatory risk of the organization?
- What information has been communicated to the boards of both companies regarding the top areas of risk they are addressing with their security program initiatives?
Most CIOs and CISOs assume the immediate IT need is to merge the networks so that members of each organization can freely access any company applications necessary for business operations. But connecting the networks of two different companies without a concerted effort to understand all the risks and mitigate them as appropriate can have disastrous consequences, including exposing sensitive data to unauthorized individuals. It can also result in potential data theft or a data breach.
But what if you could enable the business to access the applications they need WITHOUT connecting the networks at all?
The concept of a zero-trust model isn't new, but many haven't considered how such a model, can be used to mitigate risk and enable business functions in an M&A scenario. The whole concept behind zero trust is to harden application access and provide trusted users and devices secure access to them regardless of whether the user is sitting at their corporate desk or whether they are sitting in a Starbucks or McDonalds.
In an M&A scenario, this is exactly what the business needs. They need to quickly enable the two entities to access each others’ applications and continue to do business and drive business integration activities. Business users really don’t care whether the networks are connected as long as they can access the applications they need.
Using technologies such as the capabilities that our Duo Beyond edition offers, companies can provide acquired entities (or the acquiring entity) the trusted access needed to corporate applications without requiring them to “connect” the networks.
Users can be identified and strongly authenticated; the device they’re using can be authorized and even authenticated as a corporate-managed device (if desired); and the organization has complete control to create policies around those users, their location and the device being used to take actions such as disallow authentication if, for example, a browser is out of date or a mobile device is jailbroken.
Do you have a merger, acquisition or affiliation in progress or planned for the future? You may want to consider security technology to enable that integration to occur more quickly and more securely.
Photo source: portlandoptimalwellness.com