Initial public offerings (IPOs) and mergers and acquisitions (M&As) are major celebratory milestones throughout a company’s lifecycle. However, amid all the planning, organizing, and celebrating, insider risk to corporate data is amplified during these times.
Defined as any user-driven data exposure event that’s malicious, negligent, or accidental in nature, insider risk is often triggered during times of organizational change, such as pre/post-M&A or an IPO. There are countless opportunities for valuable data and sensitive intellectual property (IP) to be exposed. These include merging systems and employees following an acquisition.
With that in mind, organizations that are going through these milestones need to turn their attention to protecting sensitive data before it’s too late.
Pre-IPO: Data visibility to protect valuable IP
Imagine this: You are preparing for your IPO, and as part of the process, you realize you don’t have full visibility into your data. With intangible assets such as IP being responsible for 90% of all business value, data protection and visibility become much more of a concern, and you have limited time in which to address them.
If these sensitive customer data or trade secrets get out during the planning phases, the impact could be lasting to investors and shareholders, not to mention the long-term impact of brand and reputation damage.
As companies prepare for their next phases of growth, they must examine their insider risk strategies and address existing gaps in their programs. Visibility into data activity—where it’s going, who is engaging with it, how it is being shared—coupled with an understanding of what data is at greatest risk for exfiltration gives teams assurance as the company evolves and grows.
M&A: Addressing IP blind spots
Last year, global M&A deals exceeded 62,000 globally, up 24% from 2020, according to consultancy PwC. This level of activity is expected to continue, as access to capital remains high and business leaders look to grow their market share. An acquisition may move the needle for a company in regard to its competitive advantage; however, the risk of data leak is also heightened as two companies integrate their systems and transfer data.
As new teams form, employee roles shift, and new technologies are rolled out, team members and contractors are connecting to organizations and accessing sensitive IP in new and unfamiliar ways. Decisions are made about which collaboration platform to use. Data is consolidated.
And we often see instances of data being accessible to employees or third-party contractors who shouldn’t have access. In some situations, employee access gets revoked unintentionally, which limits productivity and results in employees breaking policies and using unapproved solutions to complete a task and simply get their job done. It is during these times of transition that the risk of data exposure is elevated to new levels.
To effectively protect against insider risk during these times of transition, organizations must embrace the fact that the traditional concept of a secure digital perimeter is long gone. Business leaders need to implement a risk-based approach to reduce data loss through their data protection strategy.
Policy-based prevention approaches, including data loss prevention (DLP) and cloud access security brokers (CASBs), simply can’t keep up. The focus should be on prioritizing the activities that actually represent risk, allowing teams to work how they need to work, on any network, without disrupting business operations.
Post IPO: Prep for employees, and data, to leave
Regardless of how excited employees are about an IPO or how successful the listing goes, business leaders need to prepare themselves for employees leaving after the fact. On average, 2.3% of employees leave their employer in the three years post-IPO filing, according to a recent research paper.
Following Facebook’s IPO in 2012, the company saw many of its executive and team leaders leave. While the reasons for their departures varied, many noted that post-IPO the company felt too big to meet their needs professionally and limited their ability to connect with team members. Others wanted to return to their entrepreneurial roots and work for smaller companies where they could learn new skills and help build a company’s future.
As resignation notices come in post-IPO, business leaders must consider what departing employees are taking with them regarding sensitive and proprietary data. Today, many employees feel a much stronger sense of ownership over their work, and as such may feel that data sets, presentations, and research documents actually belong to them as well as to the company they work for. This is one reason why we see a heightened correlation between departing employees and employee-driven data exposure events.
New research from my employer, Code42, indicates that there is a one in three chance that a departing employee will take your company’s sensitive IP with them.
The importance of security-based off-boarding
With 4.4 million Americans quitting their jobs in February, according to the US Bureau of Labor Statistics, companies must take a proactive approach to securing data. One way to do this is to incorporate security awareness training in your employee off-boarding.
We often hear about the importance of incorporating this training into the on-boarding process with new employees, but it’s just as important during off-boarding. Most employees who take data do so long before their two-week notice, so reiterating company policies can help eliminate data leaving an organization. Without the right data protection tools and strategies baked into the off-boarding process, many employees will walk out the door with data.
Redefining how we protect our IP
Proprietary data and sensitive IP are the backbone of any organization. It’s what sets them apart and gives them a competitive edge. As your company prepares for major milestones throughout its lifecycle, there are countless opportunities for data to be exposed and unintentionally exfiltrated.
To effectively detect IP theft before trade secrets walk out the door, businesses need to reexamine data security strategies to make sure they’re considering the way we work today and not limited by tools designed for the way we worked before. Over half (55%) of leaders are concerned their employees have become lax with their cybersecurity practices in today’s hybrid-remote work environment, according to new data from my employer, Code42.
The current reshaping of “normal” in modern workplaces presents major opportunities to reimagine and redefine everything from when and where we work, to how we protect and support work, wherever it’s happening. I hope you seize that opportunity.