By: Tim Marley, VP of Risk Advisory Services, Cerberus Security
Industry wide disruptions caused by the Covid-19 pandemic continue to reshape the economic landscape, as the lingering effects of business closures, consolidations, and acquisitions have touched all aspects of modern life and business. Telework and work from home opportunities have accelerated since 2020, serving to not only redefine office culture but the growing need for a robust IT infrastructure capable of protecting company, client, and employee data. Since remote work is here to stay, the need for increased security and functionality is be integral to successful operations.
Not only have many organizations embraced nontraditional work models, but many are making significant strategic shifts to accommodate a very changed market – including either selling or acquiring businesses. This requires an evaluation of best practices when a company transitions or expands its network, but it’s also critical to have a cybersecurity checklist to help you lower risk, ensure data integrity, and compliance.
What should your checklist include?
Depending on the type of transition, the core focus should be on compliance, regulations, security, and privacy. Even if a company has dissolved, it still leaves behind lots of sensitive and/or personal data. In most cases, the closed or acquiring business still must be a custodian of these records.
The Acquisition Cybersecurity Checklist
If your organization is purchasing another business, there are strategic moves to make before, during, and after the acquisition. This cybersecurity assessment should play a significant role in how you bring the company into the fold.
What to Do Pre-Acquisition
- Perform an IT-focused risk assessment or audit: Engage third-party experts to evaluate IT operations from a cybersecurity perspective thoroughly.
- Dissect the risk profile: After the assessment, you should be digging into the risk profile to determine the level of maturity of cybersecurity as well as critical gaps.
- Consider any legal or compliance requirements: Depending on the industry and location, you should review the assessment to determine compliance with regulatory requirements (e.g., PCI, HIPAA, NERC CIP, CMMC, etc.).
What to Do During the Acquisition
- Review the policies in place for incident response, business continuity, and disaster recovery, if available.
- Develop an asset inventory list to identify all the physical, virtual, data, software, and other equipment related to IT operations.
- Check on physical security measures related to assets on-premise and those in co-location data centers.
- Determine what, if any, access controls are in place.
- Create a plan to integrate, migrate, or consolidate the IT infrastructure. You’ll need a detailed plan on how you’ll move data and applications from their control to yours. Alternatively, you may decide they should remain separate but weigh the options of this in terms of accessibility and costs.
What to Do Post-Acquisition
- Adjust governance for employees via organizational mission alignment, security policies and procedures , cybersecurity training, and role-based access.
- Conduct ongoing assessments scoped for cybersecurity and enrich current programs to ensure employees understand and follow requirements and create a baseline for information security with roadmaps for continual enhancement.
The Consolidation Cybersecurity Checklist
Consolidation and downscaling are occurring in the business world for several reasons. One of the most prolific is companies changing their work models. After the urgency to send employees home to work, organizations are realizing this model works and can reduce overhead costs. Thus, they need to consolidate and centralize their cybersecurity practices.
Here are some items that should be on your consolidation cybersecurity checklist:
- Determine what assets or locations you can decommission and how to handle this and migrate any data from on-premise servers securely.
- Review or create remote work guidelines to ensure that IT teams can manage cybersecurity risk in a distributed or hybrid model.
- Educate employees on how to work “from anywhere” in a secure manner.
- Decide how you’ll archive applications and data so that it’s secure and still accessible if necessary.
- Evaluate any new requirements to make a remote model more sustainable, including moving file sharing, platforms, and applications to the cloud if they aren’t there already. Weigh options of bundling to simplify cybersecurity and reduce costs.
The Business Closure Cybersecurity Checklist
When a business closes or files for bankruptcy, what happens to all the digital assets? What you do during the subsequent liquidation of assets has much to do with the kind of data you house.
In the case of regulatory mandates on record-keeping, you still have the responsibility to keep those records secure. A cybersecurity checklist for this kind of business closure would include:
- Identifying the data retention period for all records
- Identify an archiving solution that allows you to migrate data securely
- Ensure that regulatory bodies or patients/customers have the means to request documents
- Decommission all software systems that contain sensitive information in a safe manner that aligns with cybersecurity best practices
Non-Regulated Business Closure Cybersecurity Requirements
If your business doesn’t fall into the regulated arena, that doesn’t mean you just turn everything off and walk away. You likely still have personal or protected information about customers, which could include transaction details. Such data would be highly attractive to hackers if you simply leave it as-is, which could lead to legal liability should a breach occur.
Here’s what you should include in your checklist:
- Document all systems that contain data.
- Work with the platforms you use on ways to delete or archive data in some manner securely.
- Clean all physical technology assets like laptops and servers to remove any sensitive data.
- Make sure that any access points to internal platforms are no longer accessible.
Business Transitions Should Always Include a Conversation about Cybersecurity Culture
Any major business change—acquisitions, consolidations, or closures—should include cybersecurity in the conversation. And it’s important to keep the conversation going. A culture of cybersecurity helps place data security as part of the ideological framework of how your organization functions. In an increasingly digital world, your data assets are just as important as physical ones. Using these checklists as a guide to navigate your transition ensures security is always top of mind.
Need help with a business transition cybersecurity plan? Our experts are here to help.