Selling Your Business, Staffing Industry M & A Activities, Staffing Tech, ValuationApril 17, 2025

Cybersecurity in Staffing M&A Part 3 – Post-Acquisition Cybersecurity

Post-acquisition cybersecurity integration is critical to preserving deal value in staffing M&A.

In Part 1 of this series, we looked at the cybersecurity risks that often go unnoticed before a staffing M&A deal begins.

In Part 2, we explored how hidden vulnerabilities uncovered during due diligence can derail a transaction or lead to painful surprises post-close.

Now in Part 3, we turn our focus to what happens after the deal is signed. Because once the ink dries, the real work begins, and for many buyers, post-acquisition cybersecurity integration is where the biggest risks and blind spots still live.

After the deal is closed, the hard work doesn’t stop. In fact, post-acquisition cybersecurity integration can be one of the most challenging, and critical parts of an M&A transaction. Ensuring that security measures are harmonized, and operational risks are mitigated during the integration phase can make or break the success of a merger.

I sat down again with cybersecurity expert Mike Glover and Charter’s Krisann McDonnell to talk about the people, systems, and processes that must align to keep a deal from turning into a security mess.

Brian Kennedy: Mike, Krisann, now that a deal is closed, what are the key cybersecurity integration challenges companies face?

Mike Glover: “The first major challenge is aligning IT systems. Even if both companies had solid security practices before the deal, merging different systems can expose vulnerabilities. Whether it’s integrating payroll systems, HR software, or cloud-based services, you’re looking at a lot of moving parts. If the integration isn’t done carefully, you can inadvertently create new gaps in security.”

Brian: So, the merging of systems itself can create new risks?

Mike: “Absolutely. Even if the intention is to improve overall security, the process of integration can sometimes expose weaknesses. For example, if one company is using an outdated system that isn’t compatible with the buyer’s newer systems, that could leave a backdoor open for cyberattacks. The IT teams need to carefully vet all systems before integration to ensure that the security posture remains strong.”

Krisann McDonnell: “Adding to that, another challenge is ensuring a unified security culture. Cybersecurity isn’t just about technology; it’s about people. You have different teams, with different policies and practices. For the integration to be successful, you need to align employees on the importance of cybersecurity, the protocols to follow, and the tools to use. If there’s inconsistency, it can lead to weak points that attackers might exploit.”

Brian: That’s a good point, Krisann. How do you effectively manage this cultural shift and ensure that employees from both companies are on the same page when it comes to cybersecurity?

Krisann: “It’s all about education and communication. The first thing you need to do is communicate the importance of cybersecurity to all employees early on. Staff training should be one of the first initiatives after the acquisition. Everyone needs to be on the same page in terms of understanding the firm’s new security protocols and how to recognize potential threats, like phishing attempts or social engineering tactics.”

Mike: “One of the most critical things during this phase is to ensure employee access control is locked down properly. The merger is the time when access rights should be reassessed across the entire organization. You need to identify who has access to sensitive data and systems and whether that access is still justified. If former employees or contractors still have access, it could be a serious security risk.”

Brian: That’s a great point. Now, what about monitoring? After the integration, how can staffing firms ensure that their security measures are holding up?

Mike: “Post-integration, you need a strong monitoring system in place to ensure that security risks don’t slip through the cracks. It’s critical to have continuous monitoring tools that alert your IT team to any suspicious activity. This way, you can act quickly before a potential attack becomes a full-scale breach.”

Krisann: “Continuous monitoring is non-negotiable. During the integration process, there’s a high level of risk, as cybercriminals often see mergers and acquisitions as a prime time to strike. Attackers target the weak points during the chaos of an integration. Monitoring tools help identify these risks in real-time, so that you can act fast.”

Brian: What happens if a cybersecurity incident occurs after the deal closes? How should the buyer respond?

Krisann: “If an incident occurs post-acquisition, it’s critical to have an incident response plan already in place. This plan should outline the roles and responsibilities of the IT team, communication protocols, and the steps to contain the breach. Having a tested, clear response plan can make all the difference in minimizing the damage from an attack.”

Mike: “Right. An incident response plan ensures that everyone knows what to do and can act quickly. But even before an incident occurs, you should be testing the security systems regularly and conducting mock incident response drills. This keeps the team sharp and ready if something does go wrong.”

Brian: So, it sounds like cybersecurity post-acquisition is not just about fixing immediate problems—it’s about being proactive to ensure a smooth transition.

Mike: “Exactly. It’s about making sure that security is integrated into every part of the new business. It’s not just the IT systems but also the people and processes. You need to assess and adjust to ensure that vulnerabilities aren’t created during the transition phase. The goal is to keep the organization secure and ensure that the buyer’s investment is protected long-term.”

Krisann: “And that’s why cybersecurity should be part of the post-merger strategy from the very beginning. It’s about setting up your systems for success and preventing a situation where you’re scrambling to fix issues after they arise. If you do this correctly, the integration can be smooth, and the organization can operate securely in its new form.”

Brian: For staffing firms looking at an M&A deal, what steps should they take to ensure a smooth cybersecurity integration post-acquisition?

Mike: “The first step is to conduct a thorough assessment before the deal closes. This means auditing all systems, reviewing access controls, and checking for vulnerabilities. Then, as the integration progresses, it’s important to keep communication open between both IT teams and the leadership teams to ensure the process remains smooth. Make cybersecurity a key part of the merger’s success.”

Krisann: “And keep educating your staff. Post-acquisition is a time of change, and staff may not be familiar with the new protocols. So, ongoing training, regular communications, and a clear incident response plan are vital. The more proactive you are, the less likely you’ll face issues down the road.”

Brian: Final thoughts on post-acquisition cybersecurity integration?

Mike: “It’s all about planning. Start with a comprehensive audit, align your teams, and ensure you have strong monitoring in place. Don’t let security be an afterthought after the acquisition. Make it a key part of the integration strategy from day one.”

Krisann: “Post-acquisition cybersecurity isn’t a one-time fix—it’s an ongoing process. By taking the right steps early on, you can prevent problems later and make sure the newly merged entity is secure, compliant, and ready to thrive.”

As mentioned, post-acquisition cybersecurity integration is critical to preserving deal value in staffing M&A.

Take Action Now.

If you’re considering selling your staffing firm, don’t let cybersecurity be the reason you lose value or delay your deal. The risks you overlook today could be the very reason your deal falls apart tomorrow.

As someone who specializes in selling staffing companies, I can tell you that the firms that address cybersecurity issues upfront are the ones more likely to get top dollar. It’s a marketable characteristic of your enterprise. If you want to make your business as attractive as possible to buyers, it’s crucial to address any cybersecurity vulnerabilities now.

Charter can make that process easier. They offer confidential cybersecurity assessments that help firms identify weaknesses, improve their digital hygiene, and ensure they’re ready for a successful transaction.

No cost. No pressure. Just real insights.

Schedule a complimentary, confidential consultation with Charter today: [kmcdonnell@charter.ca]

You can also ask us your M&A  questionsbrian@racohenconsulting.com and be sure to check our Resources Library out here: https://racohenconsulting.com/library

Your business value depends on it.

In the next article, we’ll look at the proactive steps staffing firms can take before entering the M&A market to strengthen their cybersecurity and protect their valuation.

Read more
Growing Your Business, Selling Your Business, Staffing Industry M & A Activities, Staffing Tech, ValuationMarch 27, 2025

Cybersecurity in Staffing Industry Mergers and Acquisitions

By: Brian Kennedy

 

What if a $30 mistake cost you millions and killed your M&A deal?

It sounds extreme, but it happens more often than you’d think, especially when it comes to cybersecurity. A small vulnerability that seems insignificant can open the door to catastrophic consequences. Just ask the owner of a staffing company who was on the verge of closing a lucrative deal after years of hard work, only to see everything fall apart, because of a fish tank thermometer. 

The company had a beautiful saltwater aquarium in its office, and the owner installed a WiFi-connected thermometer to monitor the water temperature remotely. What he didn’t realize was that the device had no security controls and was connected to the company’s network. A hacker exploited this tiny vulnerability, gained access to the firm’s entire system, and deployed ransomware, locking down all their data, including payroll records, candidate information, and client contracts.

The company was forced to pay the ransom, but the damage was done. The buyer walked away from the deal, citing cybersecurity negligence as a major risk factor. The seller’s firm, once highly valuable, had lost millions in potential deal value over a $30 mistake.

This is not a hypothetical scenario. It really happened. And it underscores why cybersecurity is no longer just an IT issue, it’s an M&A dealbreaker.

 

Meet the Experts

To explore how cybersecurity impacts staffing M&A and what firms must do to protect themselves, I spoke with two of the leading experts in cybersecurity and enterprise architecture from Charter, a company which has driven successful digital transformations for clients globally since 1997.

Mike Glover – One of Canada’s most highly regarded enterprise architects, with deep expertise in business strategy, technology integration, and large-scale cybersecurity transformations. He has advised companies facing high-stakes M&A transactions where data integrity and risk management are paramount.

Krisann McDonnell – An M&A and cybersecurity leader specializing in assessing and mitigating risks in high-value transactions. Holding TOGAF, CISM, and NIST certifications, she leads security practice at Charter and works directly with firms to uncover hidden vulnerabilities and ensure compliance.

Both Mike and Krisann have seen firsthand how cybersecurity can turn an acquisition from a growth opportunity into a financial and operational nightmare.

What This Series Will Cover

Over the next four articles, we’ll take a deep dive into the most critical cybersecurity challenges facing staffing firms in M&A transactions:

  • Why Cybersecurity is Now a Dealbreaker in Staffing M&A – Understanding how cyber risks influence valuations and transaction terms.
  • Hidden Cybersecurity Risks in Staffing Acquisitions – Identifying the most overlooked vulnerabilities that could compromise a deal.
  • Post-Acquisition Cybersecurity Integration – Addressing challenges in merging security systems and ensuring a smooth
  • How to Strengthen Cybersecurity Before Entering the M&A Market – Practical steps staffing firms can take to protect themselves and enhance their marketability.

Cybersecurity is no longer optional in staffing M&A. It is a core business risk that must be addressed proactively. By leveraging the expertise of Mike Glover and Krisann McDonnell, this series will equip staffing firm owners, buyers, and investors with the critical insights needed to execute secure and successful transactions.

Keep reading for Part 1, where we explore why cybersecurity has become a deciding factor in staffing M&A deals.

 

Part 1 – Why Cybersecurity is Now a Dealbreaker in Staffing M&A

Mergers and acquisitions in the staffing industry have always been driven by financial performance, client contracts, and operational efficiency. However, in today’s market, cybersecurity has become a major factor in deal success or failure. Buyers are scrutinizing security postures more than ever, and firms with weak cybersecurity protocols are increasingly facing reduced valuations or even deal cancellations.

To understand why cybersecurity is now a make-or-break issue in staffing M&A, I sat down with Mike Glover, one of Canada’s most experienced enterprise architects and a leader in cybersecurity for M&A transactions, and Krisann McDonnell, an M&A and security expert at Charter.

Brian Kennedy: Mike, cybersecurity wasn’t always a top priority in staffing acquisitions. What changed?

Mike Glover: “A few years ago, buyers treated cybersecurity as an IT issue they could deal with after the acquisition. That’s no longer the case. Now, buyers want proof of strong security practices before closing a deal. If they uncover security gaps, they’ll either walk away or use them as leverage to lower the valuation.”

Brian: Why is cybersecurity an even bigger concern in staffing M&A than in other industries?

Mike: “Staffing firms handle enormous amounts of personally identifiable information: candidate resumes, payroll details, client contracts. If that data gets compromised, the entire business model is at risk. A breach doesn’t just impact one company; it can expose thousands of candidates and clients. Buyers don’t want to inherit a data security mess, and they’re going to pay less, or not buy at all if they sense risk.”

Brian: So how does cybersecurity affect valuation in real-world deals?

Krisann McDonnell: “Buyers aren’t just looking at EBITDA anymore. Cybersecurity risk is now a major factor in valuation. A firm with a strong security posture can command a premium price, while one with poor security might see its valuation drop overnight. I’ve seen firms lose millions in potential deal value simply because they didn’t have proper security controls in place.”

Mike: “I worked on a deal where the seller assumed security wouldn’t impact valuation, but when the buyer’s tech team did a deep dive, they found unencrypted payroll records and no multi-factor authentication. The buyer immediately cut their offer by 20%. The seller was blindsided, but in today’s market, buyers aren’t willing to take that risk.”

Brian: What security red flags are most likely to make buyers reconsider a deal?

 Mike: “There are a few major ones:

  • Outdated software – Staffing firms often use legacy applicant tracking and payroll systems that lack modern security controls.
  • No multi-factor authentication (MFA) – If employees can log into critical systems with just a password, it’s an easy target for attackers.
  • Third-party vendor risk – Many staffing firms use third-party providers for payroll, background checks, and CRM tools. If those vendors have weak security, the risk extends to the buyer.”

Krisann: “I’d add past security incidents to that list. A lot of sellers don’t realize that previous breaches, even if they were resolved, can still impact valuation. Buyers want full disclosure, and if they find out about a breach the seller didn’t mention, it immediately raises trust issues.”

Brian: So for staffing firms thinking of selling, what should they do now to avoid cybersecurity hurting their valuation?

Mike: “Start preparing early. Sellers should:

  1. Conduct a cybersecurity audit before a buyer Fixing problems before due diligence prevents last- minute deal surprises.
  2. Ensure regulatory Staffing firms operate across multiple jurisdictions, and buyers don’t want compliance headaches.
  3. Harden access controls. Remove ex-employee access to critical systems and require multi-factor authentication for sensitive data.”

Krisann: “Also, be ready to prove your security maturity. Buyers love seeing a cybersecurity due diligence package that outlines your policies, recent audits, and security improvements. It signals that security is a priority, which builds confidence and protects valuation.”

Brian: Final thoughts? What should staffing firms take away from this conversation?

Mike: “Cybersecurity isn’t just an IT issue anymore. It’s an M&A deal factor that can determine whether a transaction moves forward or collapses. Sellers who ignore it risk losing millions.”

Krisann: “Security preparedness isn’t just about avoiding penalties, it’s an opportunity to increase valuation and buyer confidence. The firms that address cybersecurity early will have the most leverage when negotiating a deal.”

Conclusion

Cybersecurity is no longer optional, it’s mandatory in today’s M&A environment. For staffing firms looking to enter the market, taking proactive steps to strengthen cybersecurity before the process begins can make a world of difference.

By conducting audits, upgrading systems, training employees, and ensuring compliance, firms can increase their marketability, protect their valuation, and set themselves up for a successful transaction.

Take Action Now.

If you’re considering selling your staffing firm, don’t let cybersecurity be the reason you lose value or delay your deal. The risks you overlook today could be the very reason your deal falls apart tomorrow.

As someone who specializes in selling staffing companies, I can tell you that the firms that address cybersecurity issues upfront are the ones more likely to get top dollar. It’s a marketable characteristic of your enterprise. If you want to make your business as attractive as possible to buyers, it’s crucial to address any cybersecurity vulnerabilities now.

Charter can make that process easier. They offer confidential cybersecurity assessments that help firms identify weaknesses, improve their digital hygiene, and ensure they’re ready for a successful transaction.

No cost. No pressure. Just real insights.

Schedule a complimentary, confidential consultation with Charter today: [kmcdonnell@charter.ca]

You can also ask us your M&A  questions: brian@racohenconsulting.com and be sure to check our Resources Library out here: https://racohenconsulting.com/library

Your business value depends on it.

 

In the Part 2, we’ll examine hidden cybersecurity risks in staffing acquisitions and how buyers can uncover potential threats before closing a deal.

Read more
Selling Your Business, Staffing Industry M & A Activities, UncategorizedApril 22, 2024

Earnout Dice-Roll?? Secure Your Bet with a GM Approach

image

In the staffing industry, understanding the financial dynamics of a business is crucial, especially when it comes to acquisitions. One key aspect often under scrutiny is the earnout structure. But what’s the best way to approach this?

The Core of COGS:

The real costs in our industry boil down to our client-facing workforce. This includes wages, statutory obligations, and workers’ compensation. These expenses form the core of our Cost of Goods Sold (COGS). After these are paid, what remains is our gross margin. This isn’t just any figure; it’s the lifeblood of our business, powering everything we do, whether it’s temp, contract, or direct-hire placements.

Earnouts and the Complication with EBITDA:

When it comes to earnouts in staffing company acquisitions, some buyers lean towards tying them to EBITDA or Net Income. However, this approach can be fraught with complications. Post-sale, the new owner usually takes over operating expenses, and as we all know, accounting practices can vary. This variability can lead to gray areas and potential disputes when determining if the earnout target has been met.

Why Gross Margin Makes Sense:

This is where gross margin becomes a game-changer. It’s a straightforward calculation: revenue minus the direct costs associated with temp/contractor placements. Clear, unambiguous, and an ideal measure for evaluating earnout targets. It accurately reflects the true performance of the business and how efficiently all types of placements are managed. Most importantly, it’s a reliable indicator of business health, unaffected by variables that might be out of control post-sale.

Setting Fair Earnout Targets:

With this in mind, it’s advisable to set earnout targets irrespective of placement type. The target should match the gross margin amount present when the buyer conducted their valuation and made their offer. This ensures the target is fair, based on current business performance, and achievable. It’s an equitable approach, reflecting the business’s ability to sustain its gross margin post-transaction.

Provisions for Performance:

Effective earnouts should include provisions for both underachievement and overachievement of the target. It shouldn’t be an all-or-nothing scenario. Falling short means earning less, while exceeding expectations should rightly result in more. This creates a balanced, performance-based structure that’s fair for both parties.

Conclusion:

In staffing company acquisitions, focusing on gross margin for earnouts offers clarity, fairness, and a true reflection of business performance. It’s a strategy that aligns interests and promotes a healthy, sustainable business post-acquisition.

 

Don’t leave your M&A journey to chance. Reach out to us today.

Call us or send a message and let’s discuss how we can support your goals and ensure a successful transition for your staffing company.

image
Read more
What is your business worth in today’s market?

Before considering the sale of your business, get a free current market valuation of your company

Free Valuation