With mergers and acquisitions (M&A) on the rise, it’s likely that your company has either experienced an M&A already or will at some point. And you're also likely aware of the herculean effort that’s required of IT staff. Suddenly, IT is knee deep in integration efforts, such as onboarding acquired employees, consolidating domains, and integrating technology stacks. Let’s face it, cybersecurity is rarely the top priority.
Achieving the quickest time to value is the goal, and no one feels this pressure more than IT. As a result, the IT team goes into panic mode. It’s all about getting things done as fast as possible, and access—especially administrator access—is often freely granted. However, once the dust has settled and operations return to normal, rarely does anyone remember to go back and clean up this access.
However, with the number and scale of cyber attacks happening in the business world every day, security is not an issue that can be postponed or addressed with subpar tools. So, we’re taking a closer look at the ways organizations can become exposed during an M&A and how the right IAM solution can mitigate these risks.
How M&As Put Your Company at Risk
Security is now a business risk, not just an IT risk. In fact, 77 percent of companies believe that data security issues at M&A targets have increased significantly in importance in recent years.
And we all know cybercriminals are opportunists just looking to take advantage of the fact that everyone else is distracted by the M&A integration process. This is especially worrisome if the acquired company has a higher threat profile than your own—for example, when your B2B organization acquires a B2C company and suddenly must handle highly targeted personal information and credit card data.
Although there are numerous cybersecurity concerns during a merger or acquisition, the three most common and important ones we see relate to compliance, gaps in the acquired company’s security architecture, and vulnerability to insider threats.
Being unfamiliar with the specifics of an acquired company’s industry, markets, and/or the associated compliance regulations is a huge hurdle to overcome. Plus, a newly acquired company may not be in compliance—a fact they may have kept a secret during initial due diligence.
Lack of Comprehensive Data Security Architecture
Often, an acquired company is in financial or logistical distress, which means they may not have kept up with making critical security updates or they may have poor security practices, exposed assets, or a lack of visibility into assets.
Vulnerability to Insider Threats
Mergers and acquisitions are times of uncertainty for employees, who may fear losing their jobs or even become disgruntled and act out against the company. Whether purposely or accidentally, employees leave remote access or back doors in place when they quit or are terminated, so it is crucial that accounts are properly decommissioned and that access rights are appropriately adjusted for existing users throughout the M&A integration process.
Immediately Step Up Security with Modern IAM
The right IAM solution can instantly step up the security level of the acquired company, so you have a zero-day enhanced security posture.
During a merger or acquisition, the right IAM solution:
- Quickly institutionalizes identity governance policies with policy-driven configurations that are centrally implemented and managed. This ensures they are enforced across all business units—including at the acquired company.
- Provides a complete compliance audit trail with comprehensive logging, prebuilt reporting, and integration with security analytic systems, such as security information and event management (SIEM).
- Provides time-bound access entitlements, which is especially important at the beginning of a merger when IT is widely granting privileged access to ensure things get done quickly.
- Offers access certifications as an out-of-the-box workflow capability that automates certification activities based on birthright entitlements.
- Automates deprovisioning as part of automated lifecycle management, eliminating the risk of human error. The right IAM solution also gives you the ability to detect existing orphaned and dormant accounts in the acquired company’s systems and applications.
- Enables privileged accounts to be locked down from day one and throughout integration. Policies to monitor and control access can be immediately and easily written. For example, you can put cause/effect policies in place on day one to notify you when changes are made to the acquired company’s domain administration group and, then, automatically delete any unauthorized admin accounts that are added. Multi-Factor authentication (MFA) can also be applied to privileged accounts for an added layer of security.
M&A Underway: The Last Obstacle
Your company is embarking on a new, exciting venture, so the last thing you want is to be hit with an attack. A data breach following an M&A can derail integration efforts, have huge financial ramifications (right after your company has just made a huge financial move), and threaten your company’s reputation. Implementing a modern IAM solution is the first step in guarding your company from a potentially catastrophic situation. The right IAM solution closes the gaps in access, takes the human factor out of the process, and provides a way to maintain compliance and audit all activity.
And now that we’ve reached the last part of our M&A series, we’ve come to arguably the most important challenge companies face when undergoing an M&A. In our next and final post in our M&A blog series, we’ll discuss how a modern IAM solution helps overcome hurdles that negatively impact customer experience. Stay tuned!