Mergers & Acquisitions: Avoid Identity Management Disasters

Mergers and acquisitions (M&A) are a complex process, and they attract cyber-attacks like honey attracts bees. In a recent survey, 53% of respondents reported that their organization encountered critical cybersecurity issues during the M&A process. It’s a scarily high figure considering these attacks often jeopardize rapid integration and growth.

This increased risk of a breach puts each organization’s technology team on high alert as they work swiftly to create a new, single security strategy while also managing the task of merging technologies and processes, including Identity and Access Management (IAM).

For technology teams handling a M&A, it’s critical they quickly find the balance between efficiency and security. This balance is especially important when managing the digital identities of both organizations and the access to resources and platforms they will require. Identifying who needs access to what and when exactly they’ll need access is paramount to a secure and successful restructuring.

Too often, however, identity is rushed, and access is authenticated and authorized without considering these important factors:

• Unnecessary, unknown, and duplicate identities… During the integration process, IAM managers and application owners often avoid removing unnecessary or unknown user identities from their systems because they’re afraid it might interfere with or impede user access. Keeping these identities active, however, leaves a backdoor open for cyber-criminals to take advantage of during the chaos an M&A creates. Cyber-criminals view an M&A as the perfect juncture to unleash various attacks. Often, the easiest way for a threat actor to gain access is through a digital identity that shouldn’t exist in the first place.
• Don’t follow a “least privileged” approach. According to a 2021 Identity and Access Management report, 77% of organizations have users with more access privileges than required. This over-provisioning of access leaves organizations vulnerable to unauthorized access by insiders and cyber-criminals. Utilizing the least privilege approach limits users’ access rights to only what is strictly required to do their jobs. This tactic reduces the chance of an unintentional human error from occurring and provides greater overall system stability.
• Privileged accounts aren’t limited or tracked. Users with more privileges than ordinary accounts are often left alone during an M&A. Often, hundreds of privileged accounts between the two organizations remain active. These accounts can lead to a variety of problems as these users can perform virtually any act (install software, modify systems, change application configurations, etc.) with little or no oversight.
• Underestimating human challenges. During the integration phase of an M&A, IAM teams should expect the unexpected, as disgruntled employees, language barriers, changes in locations, and employees’ roles being redefined on the fly creates new challenges at every turn. These human challenges take place at the same time the teams are working to integrate their legacy systems. This combination all but guarantees that their risk exposure is as high as possible.
• Forgetting about third parties. It’s not just employees from the two organizations who require IAM; it is also their customers and extended workforce, including third-party contractors, suppliers, vendors, machines, and even bots.

The complexity of merging identities requiring access to multiple systems and platforms has grown exponentially as more organizations depend on third parties to get business done. Organizations often lack the visibility necessary to accurately govern third-party access because they have no single source of truth or central management of these non-employee identities. Third-party identities can make it extremely difficult for organizations to merge into one.