How to avoid “the people pitfalls” of IT during post-merger integration

Blog

Securing the mobile user: Challenges for the acquirer

It’s tricky enough to perform post-merger integration or PMI between the IT systems of the acquiring company (let’s call them “Company A”) and the acquired (“Company B”). It gets a lot trickier when you’re trying to secure widely scattered mobile devices—and the people who rely on them.

In this article, we’ll share some best practices, some social/psychological tips, and a few war stories from our vast experience in this realm. And it is vast: We’ve performed PMI operations for thousands of mobile devices and their users, supporting $4 billion in acquisitions.

What is “mobile computing”?

We don’t like to assume that everyone has the same definition. So let’s start with ours: We define “mobile computing,” as it pertains to PMI, as “anything wireless or portable that has access to company data.”

That definition should instantly make you nervous. That’s because it includes a veritable Wild West of laptops, wifi-connected desktop machines, phones, tablets… you name it. They’re wireless. They’re portable. They can access vital company data. In a word, they’re a massive security risk.

What to look for when securing mobile computing

Before you start auditing Company B, make sure you’re up to speed on Company A. Most large enterprises these days will promulgate, through an enterprise risk-management plan, specific requirements, checklists, and standards for all devices that access company data. That will make your job easier.

(If that list doesn’t exist, it’s time to create one. Feel free to download our handy Pre-/Post-Merger Integration IT checklist for some good pointers.)

Requirements in hand, you need to take a broad perspective. You need to identify anything and everything in Company B’s mobile environment. It could be a wireless printer, tablet, or Bluetooth device. It could be something as innocent-looking as USB-connected “sneakerware” (a portable flash drive, after all, is pretty darned mobile). Don’t be afraid to ask: “Do you have anything in the Company B environment that’s not on our approved list?”

Not that you shouldn’t trust the answers you get, but… don’t. A healthy dose of tech-backed paranoia will aid you in your mission. When we help Company A to acquire Company B, we deploy our security team on-site, armed with scanners that can flag the latest vulnerabilities in a pre-defined, regularly-updated database. In addition to performing detailed scans of the network, we’re also mindful to audit the various areas and types of mobile devices. We’ll ask questions like:

  • How many laptops?
  • How many types?
  • How does Company B define “mobile”?
  • Is their definition of “mobile” less comprehensive than Company A’s? (Are they thinking of those USB flash drives and “sneakerware”?)

We’ll also ask: “Do they have a policy and well-defined process for someone who brings in their own personal laptop or mobile phone?” That’s important, because if those people access the corporate wi-fi, and their laptop is infected, anything on it could be propagated through the enterprise. Which leads to yet another question we’ll ask: “How are you protecting your networks against people bringing in mobile devices, to address guests or vendors who visit the corporate offices?”

The point is that “securing mobile” goes far beyond “network scans.” It means diving deep, looking for context, and probing with the right questions.

Securing a scattered workforce

We’ve seen IT environments that don’t require an end-user, such as a sales rep traveling with his or her laptop, to securely log into the corporate network before browsing the internet on publicly-available wi-fi, such as can be found in an airport, a hotel, or local Starbucks. This sacrifices a secure connection, so we’ll question the policy: “Why aren’t you requiring your remote people to securely connect before browsing the internet?”

Depending upon the acquiring company’s platforms and how they’re configured, they’ll often require that mobile devices connect to the “mother network” for security patches and updates; this becomes all the more important when you’re dealing with geographically-dispersed employees, like those just mentioned. We’ve seen, unfortunately, environments where that’s the policy… yet a device hasn’t been updated for six months. How often, we must ask, has Company B randomly selected and spot-checked hardware? How do they know that that update actually made its way to that remote traveler’s laptop? You don’t want that person to serve as a gateway to corporate infection.

Bringing everyone up to spec

When we help Company A integrate Company B, we’ll often be tasked with performing a “hardware refresh” for Company B’s mobile devices.

That’s a lot more involved than it sounds. It doesn’t mean refurbishing those employees’ devices. Rather, it means recycling them (in an environmentally-friendly way), after replacing them with all-new hardware. It may sound expensive, but when you factor in 1) the problems of bringing older hardware up to current standards, 2) the security risks involved, and 3) the diminishing return of time/productivity loss for an end-user during a laborious refurbish attempt (not to mention the efforts of a tech person trying to update, say, a thousand machines), you can quickly see why this gets done. Don’t be penny-wise and pound-foolish. Just buy them a new machine. Especially in the world of M&A, time is money.

Overcoming irrational connections

If you were paying careful attention to the scenario we just described, you probably noticed one part of the process that poses an often-high psychological hurdle: The relinquishing of employees’ very personal devices.

People live by, and often love, their mobile devices. It’s like a connection to a favorite car or a family home. Relinquishing it means change, which can seem daunting, painful, and scary. Not surprisingly, they’re reluctant to hand them over.

This is more than a hardware issue. In the realm of acquisitions, it’s a vital employee retention issue and requires a firm but gentle hand. We start by introducing the Company B employees to the new Company A solutions for getting through their workday. (“How are you doing things today? Tell us what you like about your current setup.” Build up the “why.”) Often, the Company A solution is better, and we’re quick to highlight the added benefits so we reach a win-win relationship. So it’s part coaxing, part “collaborationship.” We’ll work hand-in-hand with the leadership of Companies A and B in order to deliver a new and improved experience, so that the Company B people are delighted to be part of this exciting new venture—not disillusioned and heading for the exit.

M&A value creation happens when you address technology considerations and deliver an empowering experience to the people who use that technology.

Need help with mobile PMI? Contact us today for a no-obligation initial consultation today.