A major manufacturer buys an up-and-coming competitor. They combine financials, marketing goals, corporate strategies and computer networks. They throw parties. They hold press conferences and change corporate titles.

The one thing they usually forget to do is align network security systems -- and that could be the most dangerous misalignment of all.

Corporate acquisitions and mergers, while good for the bottom line, often end up being a security nightmare, according to industry analysts. Contractors for one company now have instant access to the newly configured corporate network. Workers at one company may have gone through lengthy background checks, while workers at the second company sailed in without anyone looking into their criminal and financial history. New workers may automatically receive wide-ranging network privileges, giving them easy access to critical information and systems that they don't have any real business touching.


"When you try to merge two networks together, the chain has so many weak links in it that you run into all sorts of vulnerabilities," says Dan Woolley, vice president at Reston, Va.-based SilentRunner Inc., a wholly owned subsidiary of Raytheon. "If you don't know who is touching those networks, you have countless risks. Any time you open up your network, you have no idea what is going on. You could have thefts, misuse and takedowns. All of your fears could actually come to fruition."

A big part of the problem, according to analysts, is that corporate executives often want the major systems up and running as fast as they can. Taking the time to check out security would slow the process and cost them production time -- ignoring the heavy prices they'll pay if their networks are compromised, systems are damaged or critical information is stolen.

"They're only looking at the main systems that they need working so the business will run," says Woolley. "They want to know if the finance systems are working. Are email systems working? Are the manufacturing systems working? They forget about all the people who are touching the network. Have they tested the security software on the new system? Have they looked at who's been hired and who has access to what? No. They don't take the time."

And a lot of executives don't take the time to worry about security because they're under the gun to get systems running and turn a profit, says Ed Busch, a security consultant with his own firm, Integrated Security Concepts LLC, based in Walkersville, Md.

"You've got to get the products moving. You've got to make money," points out Busch. "The CFO is often the primary problem because he's thinking about the bottom line We've got to get the widgets out the door. We'll worry about security later."

But IT administrators and security officers need to worry about security before the first step of the integration is even taken.

Background checks of all new employees needs to be one of the first steps, according to Busch. Security officers should check with HR at the acquired company to find out if security checks were ever performed, how frequently they're repeated and how stringent they are.

"For about $100 a person you can get a pretty good warm fuzzy that the person is who they say they are and that they're trustworthy," says Busch. "And you need to look at how the other company handles data. Don't do all of this two days after acquisition and not two days after you have the systems working together. Security has to be day one. You need to get the two companies at the same level of security."

Woolley recommends that IT managers draw themselves a detailed map of the acquired system.

"First, you better know what the network looks like," he says. "What are the protocols being used? Policies in place? What are the policies surrounding network access? What companies, contractors, consultants does the network connect with? What are they allowed to access?"

Here are some tips from both Woolley and Busch on integrating systems securely:

  • Make sure you know what protocols both systems are using so one firewall doesn't filter out a protocol that another system is using:
  • Make sure all employees have undergone a background check and find out how stringent the check was. It's generally a good idea to do an annual check of all employees;
  • Check the network access rights of every employee and give each person specific rights to only the parts of the network that he needs to access;
  • Make sure every new employee is trained in the company's security policies and signs on to them;
  • Extend intrusion detection and software monitoring systems to cover the new and larger network;
  • Map out network traffic;
  • Know what contractors, subcontractors, consultants, business partners and supply houses have access to the networks and restrict it to only necessary privileges;
  • Know what security policies are in place;
  • Train employees in all new policies and have them sign off on them;
  • Make sure there is compatibility between security policies and procedures;
  • Make sure firewall policies and reporting systems are the same;
  • Do a security analysis and vulnerability test of the new system;