Your company is in the process of acquiring its biggest competitor. Midway through the deal, critical IP leaks, jeopardizing the value of transaction. Not only is the deal and your investment left hanging in the balance, but you now need to track down who accessed what data, when and where it went.
Scenarios of M&A deals gone bad over insider threat and other cybersecurity issues are more common than you think. According to PwC, four out of five dealmakers said they uncovered data security issues in at least one quarter of their M&A targets in the last two years. Even though cybersecurity issues are on the rise, however, they are not slowing down deals as you might think. A 2019 report from Deloitte found 79 percent of organizations expect merger activity to grow in the coming year, up from 70 percent in 2018.
It’s during M&A when your IP is particularly vulnerable to insider threat. When you consider Deloitte’s estimate that IP can account for as much as 80 percent of a company’s value, it should not be surprising that securing the transition of that data will directly impact the success — or failure — of an M&A deal. To better protect your investment, it’s time for dealmakers to face some brutal truths about M&A and inside threats.
Your company IP is walking out the door.
Data loss “prevention” is an empty promise. The notion that you can trust everyone “inside” your company and prevent your sensitive or confidential data from being exfiltrated or compromised is flawed thinking. According to McKinsey, 50 percent of breaches involved insiders between 2012 and 2019. It’s no longer a matter of whether data leaves, but when it leaves – and it’s leaving every day.
During M&A activities, the chances of data loss or theft run even higher. Uncertain about the future direction of the new company, employees, especially of the sell-side company, will worry about what the deal means for them. Will there be layoffs? Will I lose my job? As difficult as it is to think about, even the best of employees may take actions that are out of character. Sales associates may be tempted to copy customer data as they consider moving to another company. Engineers could transfer code to a personal cloud account thinking it might be useful as they accept an offer for a new job. Not thinking through the full consequences of their actions, human nature takes over; and the next thing you know, IP is walking out the door.
There is a data visibility gap in your technology stack.
When your M&A deal is threatened by data loss or theft, the time it takes to quickly detect, investigate and recover is critical. As a preventative measure, buy-side companies often install data loss prevention (DLP) software on the endpoints of the sell-side company. The software works by putting strict policies in place to block access to certain classes of sensitive data and stop it from leaving the company.
The challenge is these solutions aren’t working. Case in point: McAfee recently announced a lawsuit against three former employees for taking confidential data before they went to work for Tanium, a market rival. If a DLP leader like McAfee didn’t realize that critical data was leaving until months after the damage was already done, why would anyone trust legacy DLP software to keep their data safe? Short answer: they shouldn’t.
Traditional DLP’s narrow rules-based focus on known data risks creates blind spots to unexpected activity. The end result for dealmakers? A lack of visibility to important IP. You might stop a malicious insider from taking PII. However, without visibility to critical IP, such as sales pipelines, forecasts, product roadmaps and source code, the very business data you are acquiring remains vulnerable. And when you buy a company, you should be entitled to all the parts.
Trust no one.
Creating policies that prevent select data from theft and then constantly adjusting them so they don’t block too much or too little is complicated and time consuming. There is a better way to safeguard data and streamline the M&A process — and it works off of two important assumptions.
First, it defines data security not by what you can prevent, but by how fast you can detect and respond to threats. It works based on the premise that all data is important; and it gives organizations complete visibility to where their data lives and moves, and who has access to it.
Second, this next generation approach to DLP assumes that you trust no one when protecting your data from loss, leak or theft. The trustworthiness of the employee is not a factor because the technology works at the data level instead of the user level, tracking and monitoring all activity from endpoints to the cloud.
In an M&A situation, you want to ensure you can safeguard all the data you are paying for. The brutal truth is many companies entering M&A deals today are unable to answer basic questions about IP before, during and even after a deal. What data do you have and where? Who has or had the data? When is data leaving? And what data is leaving? Without the right tools to help you answer these questions, you are leaving your business and next M&A deal vulnerable to insider threat.
