2020 has upended the economy, prompting many business closures, consolidations, and acquisitions. When a company transitions in any of these ways, it’s critical to have a cybersecurity checklist to lower risk and ensure data is secure.
What should your checklist include? It depends on the type of transition of the organization. At the core of each is the focus on compliance, regulations, security, and privacy. Even if a company doesn’t exist any longer, it still leaves behind lots of sensitive and/or personal data. In most cases, the closed or acquiring business still must be a custodian of those records.
The Acquisition Cybersecurity Checklist
If your organization is purchasing another business, there are key moves to make before, during, and after the acquisition. This cybersecurity assessment should play a big role in how you bring the company into the fold.
What to Do Pre-Acquisition
- Perform a risk assessment or security audit: Engage third-party experts to evaluate IT operations from a cybersecurity perspective thoroughly.
- Dissect the risk profile: After the assessment, you should be digging into the risk profile to determine the level of maturity of cybersecurity as well as critical gaps.
- Consider any legal or compliance requirements: Depending on the industry and location, you should review the assessment to determine compliance with regulatory requirements (i.e., HIPAA for healthcare).
What to Do During the Acquisition
- Review the policies in place for incident response, business continuity, and disaster recovery, if available.
- Develop an asset inventory list to determine all the physical, logical, software, and other equipment related to IT operations.
- Check on physical security measures related to assets on-prem and those in co-location data centers.
- Determine what, if any, access controls are in place.
- Create a plan to integrate, migrate, or consolidate the IT infrastructure. You’ll need a detailed plan on how you’ll move data and applications from their control to yours. Alternatively, you may decide they should remain separate but weigh the options of this in terms of accessibility and costs.
What to Do Post-Acquisition
- Adjust governance for employees via standard security policies, cybersecurity training, and permission-based access.
- Conduct ongoing assessments around cybersecurity and enrich current programs to ensure employees understand and follow requirements, and create a baseline for information security with roadmaps for continual enhancement.
The Consolidation Cybersecurity Checklist
Consolidation and downscaling are occurring right now in the business world for several reasons. One of the most prolific is companies changing their work models. After the urgency to send employees home to work, organizations are realizing this model works and can reduce overhead costs. Thus, they need to consolidate and centralize their cybersecurity practices.
Here are some of the items that should be on your consolidation cybersecurity checklist:
- Determine what assets or locations you can decommission and how to handle this and migrate any data from on-prem servers securely.
- Review or create remote work guidelines to ensure that IT teams can manage cybersecurity risk in a distributed model.
- Educate employees on how to work from anywhere securely.
- Decide how you’ll archive applications and data so that it’s secure and still accessible if necessary.
- Evaluate any new requirements to make a remote model more sustainable, including moving file sharing, platforms, and applications to the cloud if they aren’t there already. Weigh options of bundling to simplify cybersecurity and reduce costs.
The Business Closure Cybersecurity Checklist
When a business closes or files for bankruptcy, what happens to all the digital assets? What you do at this time has much to do with the kind of data you house. For example, healthcare entities that close still have an obligation to be the custodian of medical records for a certain period of time, which varies by state but is typically seven to 10 years from the record creation. Financial institutions that close also have regulatory requirements for record-keeping.
In the case of regulatory mandates on record-keeping, you still have the responsibility to keep those records secure. A cybersecurity checklist for this kind of business closure would include:
- Identifying how long you must retain records
- Finding an archiving solution that allows you to migrate data securely
- Ensuring that regulatory bodies or patients/customers have the means to request documents
- Decommissioning all software systems that contain sensitive information in a safe way that aligns with cybersecurity best practices
Non-Regulated Business Closure Cybersecurity Requirements
If your business doesn’t fall into the regulated arena, that doesn’t mean you just turn everything off and walk away. You likely still have personal or protected information about customers, which could include transaction details. Such data would be highly attractive to hackers if you simply leave it as is, which could lead to legal liability should a breach occur.
Here’s what you should include in your checklist:
- Document all systems that contain data.
- Work with the platforms you use on ways to delete or archive data in some manner securely.
- Clean all physical technology assets like laptops and servers to remove any sensitive data.
- Make sure that any access points to internal platforms are no longer accessible.
Business Transitions Should Always Include Cybersecurity Awareness
Any major business change—acquisitions, consolidations, and closures—should include cybersecurity in the conversation. In an increasingly digital world, your data assets are just as important as physical ones. Use these checklists as a guide to navigate your transition to ensure security is always top of mind.
Need help with a business transition cybersecurity plan? Our experts can help. Contact us today to learn more.