Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis named a Leader in The Forrester Wave™: Data Security Platforms, Q1 2023

Read the report

12 Ways Varonis Helps You Manage Mergers and Acquisitions

6 min read
Last updated Sep 24, 2021


    How Varonis Helps with Mergers and Acquisitions

    A well-constructed Merger & Acquisition (M&A) playbook reduces the overall time, cost and risk of the upcoming merger and/or acquisition. Gartner advises that organizations who intend to grow through acquisitions involve the CIO and IT teams early in the process by “sharing models with their business executives that raise the right questions and issues to consider.” Further, according to Gartner analysts Cathleen E. Blanton and Lee Weldon, CIOs should “create a reusable IT M&A playbook that can be quickly deployed when an idea or opportunity arises” and to share this data with senior management.

    One of the key challenges with any Merger & Acquisition is how to protect, classify, manage, and migrate unstructured data throughout the entire process. Varonis not only helps protect M&A data prior to, during, and after the announcement – but can help organizations with each stage along the way: Due Diligence, Integration, and Realization.

    Hate computers professionally? Try Cards Against IT.

    With Varonis, organizations can:

    • Assess risk and catalog resources during due diligence
    • Gain insight into security practices and procedures of the target organization
    • Discover domains and user accounts to prepare for integration into the new organization
    • Classify sensitive data in acquired data storage
    • Help create an audit strategy for inherited unstructured data
    • Migrate data to consolidated storage during integration
    • Eliminate the potential of service interruption to critical data

    “CIOs in organizations that plan to grow through mergers and acquisitions must help executives appreciate how technology, data, and analytic capabilities support operational and strategic objectives. A few simple models can make the difference between M&A success and failure.”

    -Cathleen E. Blanton and Lee Weldon, Gartner Inc.

    Due Diligence

    Due diligence is the phase of M&A where decision makers weigh the pros and cons of moving forward with the acquisition, and according to Gartner, is the phase that underutilizes IT resources the most.

    Asking important questions like “is there a danger of a security breach disrupting our M&A?” or “is the acquisition target providing all of the information or hiding some important detail?” as well as having data to answer those questions is vital in the decision-making process.

    50-70% of any organization’s data lives in unstructured repositories. This data can either be a goldmine or a landmine for a successful M&A. Varonis helps determine which of those two options you are getting.

    “CIOs and their teams can quickly grasp and highlight the severity of lax security and the consequent risk to operations.”

    -Cathleen E. Blanton and Lee Weldon, Gartner Inc.

    Sensitive Content Discovery

    Varonis Data Classification Engine classifies sensitive data in unstructured repositories, including email, cloud storage, and NAS devices. You will be able to assess if the acquisition target adequately manages their sensitive data, identify current security vulnerabilities, discover critical data that needs to be locked down, and if they are vulnerable to – or in some cases have already experienced – a major data breach.

    Domain and User Discovery

    Varonis DatAdvantage analyzes and gathers data about each domain and every user account in the acquisition target. Varonis automatically identifies executive, service, and privileged accounts – and helps prepare existing account management for the upcoming merger or acquisition. With this data, you can determine if the company has policies in place to manage and monitor user accounts and identify stale accounts that a hacker could use to steal data.

    File System Discovery

    Varonis DatAdvantage crawls the folder structure of data repositories, including all permissions on each folder. Is the company using least privilege permissions or global access groups? Does everyone have full read/write access on all folders?

    With Varonis, you can instantly visualize or report on potential access for any user or group in Active Directory, Azure AD, or a local system; pinpoint over-exposed sensitive data; and identify excessive permissions.

    Assess Risk

    Varonis DatAlert has built-in risk dashboards that give teams the insight into what data is at risk, identify potentially suspicious user behavior, and track remediation efforts. You will be able to assess if there is a risk of an undisclosed data breach in the acquisition target.

    It can be a career-ending mistake to move forward with an acquisition only to later discover a massive data breach in the acquired company’s data. Not to mention a potential loss of expected revenue that drove the acquisition in the first place.

    Additionally, you’ll get a good idea of the amount of work required to integrate the acquired domains and file systems while analyzing the data from the Varonis discovery process. You will be able to provide a more accurate estimate of the amount of time before you reach value realization, which also influences decisions made during due diligence.


    Varonis has several out-of-the-box reports that can be distributed to the M&A team and analyzed during the due diligence process. These reports will provide a clear picture of the unstructured data and security practices of the acquisition target. CIOs and IT teams can use data from Varonis to empower the M&A team to make the best decision during the due diligence phase for their organization.


    Merging two companies IT infrastructures is not trivial. Throughout the process, you must be aware of possible security threats – both internal and external. There’s no rewinding the clock at this point: the deal is done, and the IT systems need to be consolidated and protected in order for the new organization to thrive.

    A successful integration phase will be free of service disruptions and move quickly into the value realization phase of M&A.

    Varonis provides key functionality you will use throughout the Integration process that will both speed up the integration and provide visibility to all stakeholders.

    Domain Consolidation

    The first and most immediate challenge in integration is “how do we get all of the users using the same systems with the correct permissions?”

    Merging one or more domains into a single primary entity is very difficult with the basic toolset. Varonis DatAdvantage provides a single pane of glass into all domains and users and groups, streamlining that process while taking steps to preserve the integrity of permissions and data access.

    DatAdvantage gives a clear picture of the current domain setup, so that the team can mirror the existing users and groups in the primary domain. Varonis provides a complete audit trail of the changes made, including the IT staff person who made the change. Reports on users and groups can help the M&A team verify that each user has the correct permissions in the new organization.

    These reports also highlight potential problems in the domain configuration that could lead to data breaches, interrupted service, or data leaks – like orphaned or nested groups. That domain data will be refreshed and available for audit in DatAdvantage so that any issues created one day are resolved the next.

    Folder Permissions

    Nothing limits productivity like not having access to the resources you need to do your job. Varonis optimizes the process of changing and updating share and folder permissions. With the single-pane-of-glass view discussed above to consolidate the domains, you can view and modify folder permissions with a complete audit trail. You can easily add acquired users to the ACLs of existing resources, which keeps them productive throughout the integration.

    Varonis DataPrivilege enables data owners to manage access directly, and makes the process for users to request access to data even easier. With DataPrivilege, new users request folder access from a simple interface, and the data owners review to approve or deny the request, removing IT from the burden of user access management.

    The Varonis Automation Engine addresses any of the broken permissions issues that can occur when this much change is introduced into your company data. The Automation Engine makes it easy to revoke unnecessary access that users no longer need or use, keeping your data safe. Automatically fix inconsistent ACLs on folders, a hierarchy, or even an entire server – and eliminate inconsistent file permissions.

    Data Migration and Storage Consolidation

    Most merger and acquisition processes require a significant amount of data migration and storage consolidation, while also readdressing the newly acquired and expensive storage devices that you may or may not need.

    The Varonis Data Transport Engine automates and simplifies large data migrations. Using the Data Transport Engine, you can move data from one storage server to another to save money and reduce overhead while maintaining or updating file access permissions.

    The Data Transport Engine mirrors the existing permissions on the new storage using the information it already discovered from crawling the file structure, and can update permissions to achieve least privilege. The ability to consolidate storage systems can result in tens of thousands of dollars in savings to the new company moving forward. Data Transport Engine streamlines the process while maintaining least privilege permissions and protecting your data.

    Lock Down Sensitive Data

    The Varonis Data Classification Engine continues to scan acquired data for sensitive files throughout the due diligence and integration phases. As you discover new sensitive data you can use Varonis to help manage the files, folders, and subsequent permissions to keep the data safe, making sure that only the right people have access to the right data. You can also use the Data Transport Engine to move the files to quarantine.

    Value Realization

    Once due diligence and integrate are complete, organizations need to practice and maintain data-centric security in order to maintain the security and integrity of the data post-merger, and for potential future M&As.

    Data Discovery and Classification

    The Varonis Data Classification Engine has a wide array of built-in compliance packs for regulations such as GDPR, HIPAA, SOX, PCI-DSS, etc., while providing the ability to create custom rules, perform algorithmic verification, add manual flags, and even automatically quarantine or delete sensitive content that is out-of-policy.

    Permissions Management

    Varonis helps manage permissions and data access as a company grows, simplifying the permission structure on all platforms and revoking unnecessary permissions without affecting end users by simulating permission changes before applying new permissions.

    Security Analytics

    Varonis continuously monitors and analyzes user activity and behavior across hybrid environments and builds behavioral baselines for every account. Security teams can analyze data access events in context with data sensitivity, permissions, and Active Directory metadata, resulting in accurate alerts and fewer false positives.

    With over 100 threat models, Varonis alerts on everything from unusual mailbox activity to insider threats to known malware behavior. Security teams have the flexibility to use the DatAlert dashboard or send alerts to an integrated SIEM.

    Curious to see how Varonis can help with your M&A playbook? Get a customized demo and we’ll show you.

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Twitter, Reddit, or Facebook.

    Free Data Risk Assessment

    Join 7,000+ organizations that traded data darkness for automated protection. Get started in minutes.