When entering a mergers and acquisitions (M&A) deal, the ruling analogy must be likened to that of purchasing a new home. Due diligence dictates that the buyer understands the risks, and knows where there are weak points, leaks or any other inherited risks. To do this, the buyer brings in an inspector or, in the case of a merger or acquisition, a third party to clue up the buyer to any potential sticking points. But also akin to buying a home, the true faults don’t begin to show until you’ve lived with them – or done business with them – for a while.
When acquiring a new company, cyber security is often not a top priority. Any inspection pre-merger consists of a casual examination of the results in IT systems, audits of data dumps and a walk-through transaction from the view of the end user. Just like the new home buyer is more concerned with the neighborhood than the plumbing at first, both parties in a merger are more worried about keeping customers and shareholders happy and focusing on the quickest route to profitability. True consolidation can take years to achieve because of the complexity of bringing two companies together.
And here’s the thing: complexity makes an excellent place for bad guys to hide. That includes external cyber criminals looking to take advantage of a chaotic time, or an internal employee feeling uncertain about their position in the new corporate environment. The bad plumbing hides in the walls of the house. The security vulnerabilities hide in the 5 layered applications that can’t be changed for fear of lost revenues. The number one risk from mergers and acquisitions is that this complexity multiplies overnight when Company A amalgamates with Company B. IT complexity isn’t addition, it’s exponential. Cyber criminals are opportunists and will take advantage while everyone else is distracted with complexity.
Consolidating Privileged Account Management During Mergers
With that in mind, companies need to anticipate that insecure, privileged accounts are a prominent method used by cyber criminals to gain access into a network. This problem is effectively multiplied when two or more IT environments merge.
Privileged accounts provide the gateway for viewing and extracting critical data, altering system configuration settings, and running programs on almost every hardware and software asset in the company. Privileged accounts are the admin log in that every server, device, router, and IoT toy has; they are the application and service accounts that run an organization’s most critical software; they are the links that keep all the machine to machine communications humming along. Every one is dangerous if unchecked.
And there are so many privileged accounts in large businesses that many organizations can’t keep track of where all of their privileged accounts reside or who can access them. The problem is that if organizations don’t know where their privileged accounts are on the network, they cannot safeguard them. Unlike personal login credentials, privileged identities are not typically linked to any one individual. They are often shared among multiple IT administrators with credentials which are seldom changed. This makes it even easier for the criminals to worm their way through the network after stealing just one privileged credential.
Put simply, when two corporate IT environments come together, IT administrators come face to face with one of the biggest IT challenges of a successful merger: privileged identity management. Much like that list of projects our home seller has been ignoring for years, the lack of privileged identity management becomes a latent risk to the buyer at the time of M&A.
Learn more about Privileged Identity Management. Get the white paper Best Practices in Privileged Identity Management
For two merging companies, proactively sorting out the issues surrounding privileged identity management with a view to minimizing cyber-related risk can build trust and remove arbitrary access to make sure the process is fair. While Organization A might have well-defined processes to keep track of their powerful privileged accounts, Organization B could potentially be a mess of who has access to what. When the two merge, there will also be cases of inherited rights (the dreaded “just give Sally from Organization B the same rights as Jill from A and be done with it.”) unless rules and policies are well-defined to prevent even more risk being introduced. Proper controls over the now merged set of privileged accounts can make things transparent. This removes any notion that one team is the special, controlling team, and instead puts the control of administrative power in the hands of a system run by policy.
Mergers and acquisitions can be a chaotic time in the corporate world, especially for IT teams who need to keep track of employees and sensitive information. When thinking about the number of new staff, the leavers and the movers, it can boggle the mind of even the most astute IT professional. By keeping a step ahead and taking actions to get insight and control over who is accessing what through privileged identities, it can decrease the complexity of bringing two different corporate IT environments together and help keep cyber criminals at bay.