High-profile cybersecurity breaches have everyone’s attention, but in many organizations, protecting company systems and data still falls on the IT department’s shoulders. The approach may work during normal operations, but when a merger, acquisition or expansion lands on the executive team’s desk and everything starts moving at once:
- Leadership focuses on deal logistics, integration timelines and keeping the business running.
- IT races to connect systems, migrate data and stitch together different technology environments.
- New employees log into company networks while new vendors come on board.
- Sensitive data moves between systems that were never designed to work together.
- Outside advisors, consultants and integration partners receive temporary system access to internal systems.
- Employees work with unfamiliar tools and processes as the organization moves through the transition.
While all of this is going on, cybercriminals are paying attention. They know the odds that someone will take their eye off the ball increase during transitional periods. Plus, business deals take time, giving attackers a longer runway to probe systems, test vulnerabilities and exploit gaps.
“Cyber attackers are actively looking for these [opportunities],” says Christopher Todd Doss, senior managing director at Guidepost Solutions. “They read the news just like we all do, and if they notice a large transition taking place, it can become a desirable target.”
Doss points to distraction and lack of guidance as two of the biggest threats companies face during a merger or acquisition. Employees are consumed with combining two organizations, leadership is changing, processes are shifting and databases are being merged. Threat actors know that cybersecurity may take a backseat during these periods, but that's a risk organizations can't afford to take. "Keeping cyber top-of-mind is critical because the bad guys know it's a time of change," Doss says.
The cost of ignoring the threat
The financial case for taking cybersecurity seriously during a merger, acquisition or expansion doesn't require much convincing once you look at what breaches actually cost and how common they are:
- The average breach costs $4.4 million globally, but U.S. organizations pay nearly double that, averaging roughly $10 million per incident (mostly due to higher regulatory penalties and recovery costs).
- There were about 3,300 data breaches in the U.S. last year, up from about 3,100 in 2024.
- The data breach figures don't even include ransomware attacks, denial-of-service attacks or credential-theft campaigns.
- Financial services, healthcare and professional services consistently report the highest number of breaches, mostly because they handle large volumes of sensitive data.
The numbers and facts tell part of the story, but Doss says even bigger issues emerge when companies treat cybersecurity as something to address later, after the deal closes. He recommends making it part of the conversation in the boardroom, well before any deal, expansion or other big move is planned out.
"Cyber generally gets put on the back burner, and it shouldn't be," Doss says. "It can't be something you bolt on after the fact. It needs to be considered right from the start."
Four ways to keep bad actors away during transitions
So, what does it actually take to keep your defenses intact during times of transition? Doss says the companies that get it right share one thing in common: They treat security as a business priority, not something they hand off to IT and forget about. Here's what he recommends.
1. Audit who has access to what, and when.
Roles shift, contractors come in, consultants get temporary access and new vendors start managing systems that hold sensitive data. That expanding web of access opens the doors for identity theft. There were nearly 1.2 million reported cases of identity theft during the first three quarters of 2025 alone in the U.S., outpacing the total number of cases reported in 2024. It's easy to miss because it happens gradually, according to Doss.
Start here: Review user permissions regularly, remove outdated access rights and require clear approvals and expiration dates for any temporary access granted to contractors, consultants or vendors.
2. Include cybersecurity from day one.
When companies merge databases and combine systems, small gaps in controls or naming conventions can create openings for attackers. Cybersecurity teams should review data migrations, access controls and system configurations before integration begins and remain involved through the entire process.
Start here: Bring cybersecurity teams into system and database integrations early so they can review data migrations, access controls and system configurations.
3. Make security a leadership priority.
Major transitions touch every part of the business, which means cybersecurity can’t be relegated to one department. Bring security, IT, legal, HR and finance together early so everyone understands how the transition may affect systems, data and access. Doss says this kind of cross-functional approach helps companies identify risks before they turn into serious vulnerabilities.
Start here: Build a cross-functional team that includes security, IT, legal, HR and finance and ensure security considerations are integrated into the transition process at an early stage.
4. Don’t overlook the human factor.
As employees adjust to new roles, executive leadership and unfamiliar processes, they may unknowingly share information too freely or respond quickly to requests. This can create risk: someone clicks a phishing email, sends sensitive information to the wrong person or grants access to someone who shouldn’t have it. Doss says companies can minimize the risk with clear communication and regular reminders to employees about how to handle suspicious requests.
Start here: Communicate early and often during the transition and remind employees to verify unusual requests, avoid oversharing sensitive information and report suspicious emails or system activity.
The bottom line
By their very nature, significant business transitions present both financial and operational risk. The last thing companies need is a data breach, ransomware attack or major system compromise to add to that list. Unfortunately, bad actors watch the headlines and know when large deals and organizational changes are in motion.
The good news is that with the right preparation, security doesn't have to be an afterthought. Use the tactics in this article to keep security front and center so that any merger, acquisition or expansion strengthens your business instead of raising its risk profile.
Quiz