Eduard Meelhuysen, VP EMEA, Netskope
The first half of 2015 saw a 38% global increase in M&A activity over the same period in 2014. With acquisitions booming, challenges around IT integration arising from M&A are more prevalent and more important than ever. Serious technology issues, for example difficulties in integrating core IT infrastructure, have even derailed major deals in the past.
Even for successful deals which make it past these early technology hurdles, there are still IT challenges ahead. In addition to the integration of core infrastructure, there can be difficulties at the employee level around data security. The increased use of sanctioned and unsanctioned cloud apps is one example of such a challenge. The latest Netskope Cloud Report found that there are now 483 cloud apps in use within the average organisation. With hundreds of cloud apps in use on either side of any deal, this number is always likely to swell significantly when two companies merge or one company acquires another.
In order to protect their data and ensure compliance, especially in highly-regulated industries such as financial services, companies need a complete picture of what data they have in the cloud. An acquisition makes this picture twice as big and potentially twice as complex, and the number of cloud apps can increase exponentially in the new legal entity created by the deal – creating a mass of data sprawling across hundreds and hundreds of cloud apps.
Cloud storage is the second most popular cloud app category (behind marketing apps), and worryingly there are no guarantees that these apps are secure. In fact, the Cloud Report found that 69% of cloud storage apps were not “enterprise ready”, scoring a “medium” or below on the Netskope Cloud Confidence Index.
So what practical steps can companies take as they merge to address the challenges posed by cloud app use, especially that of cloud storage apps? How can IT build a picture of what storage apps are in use, and discover what data exists, and where data are located? How can IT consolidate the apps in use by both firms in an acquisition, and steer users towards sanctioned apps and away from less secure alternatives? Any acquiring firm needs a practical strategy to get the new, larger entity’s cloud apps in order.
Here are five practical steps for companies looking to safely enable cloud storage apps:
- Safeguard sensitive data in corporate cloud storage
According to Netskope data, 8% of files in corporate cloud storage apps violate a data policy or something of similar value or importance. For highly-regulated industries in particular, employees breaching compliance by uploading customer information or financial data into unsanctioned cloud apps could result in hefty fines.
Corporate cloud storage solutions such as Google Drive, Egnyte, Dropbox, Box or Microsoft OneDrive can act as a master repository for company data and can help solve the problem of employees using potentially unsafe apps to store corporate data and share data with colleagues.
- Standardise on a single storage app (or at least reduce the number in use)
Once an M&A deal is concluded, companies should try to harmonise on the same cloud storage provider. This may require an amount of compromise, but even so the benefits far outweigh the costs.
The company should choose a single solution based on employees’ views and organisational requirements, then coach employees on the selected app to ensure 100% up-take and ongoing use.
Of the 37 cloud storage apps in the average enterprise,just over one third are enterprise-ready. This figure is based on Netskope’s Cloud Confidence Index, a set of objective criteria adapted from the Cloud Security Alliance checklist of security, auditability, and business continuity measures.
- Monitor cloud storage app usage
As well as working out which apps are in use by employees,organisations should also monitor activity within these apps – uploads, downloads, shares, etc – to develop a view of the risks posed. This means deploying a platform across both parties to the deal in order to monitor data in transit to and from corporate apps, as well as keeping a watchful eye on activity in and around unsanctioned apps.
It’s also important to monitor for any risky or unusual activity, which means building a picture of what “normal” looks like – because unless you know that, it’s next to impossible to spot anomalous activity.
Watch out for app access from employees who have had credentials compromised in a data breach:do you know that the person accessing the cloud storage app is really your employee? Could it be a hacker using credentials stolen in a data breach of another system?
- Secure the ecosystem
The ecosystem of apps around corporate cloud storage apps should also be controlled.Ecosystem apps are those which sit around other master apps to enable greater functionality, such as secure document signing apps which might join onto a customer relationship management (CRM) system, or project management tools or data visualisation portals.
There are tens of necessary apps in any organisation’s cloud which help the business run more smoothly, and again after a deal this number is likely to swell – doubling the surface for potential attacks or breaches.
To make matters worse, some of these apps likely lack enterprise-grade security. If apps haven’t been provisioned by IT, then managing them or enforcing policy to control their use becomes more difficult. Close collaboration between IT teams is required here because one firm’s IT team won’t automatically know which of the other party’s cloud apps are sanctioned by IT, and which have been brought into the business without IT’s permission.
5) Think of your users as clients or partners
Like it or not, most employees don’t have much interest in security. So if IT can take responsibility away from users, employees can work however they want without risk. Enabling this culture means allowing the business to operate freely, but ensuring that the IT department leads on any security decisions. It’s difficult to create a culture in a newly-created business quickly after a deal, but explaining the importance of good security practices to all users will be a key step.
In reality, taking the responsibility away from users means that once the businesses have aligned on their chosen cloud storage app, IT would then set and enforce granular policies to ensure it’s used securely. One example would be blocking the upload of files which contain certain types of data, such as customer names and addresses. This empowers employees to use their own work styles without putting data at risk. However, watch out for conflicting policies in the two parties to an acquisition as any such conflicts will need to be resolved to create a harmonised set of rules across the new entity.
With so much regulation already putting intense pressure and scrutiny on highly-regulated industries like financial services, the task of consolidating two companies’ cloud storage stances after M&A activity may seem daunting. But with the European General Data Protection Regulation set to become law in 2017, a merger can be a good opportunity for enterprises to get ahead of the game and get a firm grip on their data storage.
In all the uncertainty swirling around the maelstrom that is a newly-closed deal, one thing is certain: IT teams are going to be very busy indeed. But ensuring cloud storage app use is safely enabled now is an investment in the future, and will be a major step towards avoiding loss of reputation and penalties further down the line.