The period right after an acquisition closes is the most dangerous time for enterprise security, for multiple reasons, and is the most effective period for attackers. The dilemma: Should enterprises sharply shorten this holding period or reinforce the new unit’s defenses?
The danger is part technological and part psychological. During this holding period, which can run anywhere from a few months to more than a year, the security defenses of the acquired organization almost always degrade, security specialists pointed out.
They point to three distinct reasons for that cybersecurity weakening.
Fear of upgrading or purchasing any new security tech. Managers are hesitant to invest because they don’t know what the new parent company will decide, and they don’t want to waste money.
Talented security people leave, along with the best people in every business unit. They are worried about being laid off, so they take whatever offers they can find. Compounding this is the fact that management is hesitant to replace some of those people until integration decisions are made.
Distractions. Until layoffs and integration decisions are made, the workforce is distracted and nervous. That makes them ripe for being conned by attackers looking to steal money, IP, and credentials.
A massive problem
Craig Hoffman, the co-leader of the law firm BakerHostetler’s national digital risk advisory and cybersecurity team, said that he realized how massive a security problem this was as his team was working on their 2025 data security incident response report, which was published Tuesday.
One of the key takeaways from that report is that there has been a sharp increase in enterprise wire fraud attacks. “The total amount of fraudulent transfers grew from $35 million in 2023 to $109 million in 2024,” the report noted.
A big chunk of that wire fraud increase came from attackers leveraging the post-acquisition holding periods, Hoffman said.
“We have seen [holding patterns] with multi-year plans: ‘We are not integrating you until you upgrade. We’ll run you but you operate separately so you can’t infect our network,’” Hoffman said, paraphrasing executives from acquiring companies.
Hoffman added that the combination of talent losses, technology delays, and nervous and distracted employees, creates the perfect storm for attackers.
And given the AI-fueled deep fake attacks that are so popular with cyberthieves these days, on top of the fact that employees are not that familiar with their new owner’s executives, the potential for tricking employees into making fraudulent wire transfers is significant.
“Most threat actors are opportunistic. [Employees of the acquired company] see organizational latency while they are waiting to see what the new owner will ask of them,” Hoffman said. Then those acquired employees say, “I don’t want to buy a new [security tool] if we are going to ultimately have to use [the acquiring company’s] tool. I am not going to upgrade while I wait for you to figure it all out.”
Advice from experts
Various cybersecurity specialists, including former enterprise CISOs, agreed that they have seen this pattern increase in recent years. What they disagreed on, however, is how to fix it.
Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group, said he advises clients to “accelerate the integration as much as possible. Leaving their tech team in limbo is a risky proposition.”
“You cannot afford to take your time to perform that analysis. You need to do post-due-diligence onboarding as soon as possible,” Jean-Louis said. “You need to anticipate that you don’t have the full picture.”
Steve Zalewski, the former CISO at Levis Strauss, has also held senior cybersecurity roles at both Pacific Gas & Electric and Kaiser Permanente. Today he is a cybersecurity advisor for S3 Consulting. As CISO, he has guided companies through the acquisition process.
Zalewski said in those situations he needed to maintain “hard firewalls between my company and their company. Then I can put together plans and budget to figure out what the marriage really is.”
But, he noted, he also needed to create a 100-day plan to precisely try and manage the new risks. “How do I place blame for all of the crap that I had no control over? It’s really about the CISO managing the risk for an arranged marriage. Even worse, this is an arranged second marriage where both parties have a lot of history and both sides come with lots of baggage,” he said.
Another former CISO, Michael Lines, helmed cybersecurity operations at PWC, TransUnion, and FICO. He currently is principal of cybersecurity vendor Heuristic Security.
He, too, is familiar with the cybersecurity problems of the post-acquisition holding period. “This is something that I do have experience with, both as an acquirer, and being acquired,” he said. “Often, infosec is the tail on the dog of the acquisition, brought in late to the process, and there is often an unstated expectation not to rock the boat on the acquisition. To the extent that issues are identified, it would have to be something catastrophic to derail the deal. What I am saying is that business interests determine whether the deal happens — infosec is often just a box to be checked.”
The message, he said, was invariably, “we will not touch you until these holes are all fixed.”
More than anything else, solving this problem needs better communication, added Beauceron Security CEO David Shipley.
“It’s important that there is clarity about expectations,” he said. “Set the standard and remove the uncertainty,” because uncertainty and stress are what make these attacks work.
“This is all going to come from a post-acquisition communication plan, focusing on people, process, and culture,” he explained. “You are not going to patch your way out of this. There are more risks from a rushed IT transition than what an attacker could possibly do.”
No Responses