Looking at the bigger picture, mergers and acquisitions often prove highly beneficial for organizations in the longer run and help businesses grow. But the times during the mergers and acquisitions are highly trying ones and loaded with a variety of risks. Among other things, they present steep security challenges. Data is consolidated and can be compromised in the process. Employees in fear of being laid off are potential insider threats as they hoard data and try to access files they ideally should not, in order to gain footing with future employers. During mergers and acquisitions, businesses must protect themselves more than when the business is simply running daily operations.
Data breaches can hit at any time in a business’ lifecycle. But, if they occur mid-way through an M&A process, they can be particularly damaging. For British payday loan company, Wonga, breach of personal data of 270,000 customers happened in the middle of a major restructuring. For media conglomerate Talk Talk, it cost them £60m, 100,000 customers, and a record £400,000 fine from the Information Commissioner, all in addition to a damaged reputation. Yahoo was in the middle of an M&A deal with Verizon when a second data breach occurred. Result: The deal was put at risk and $350 million was lost from the final purchase price.
Mergers and acquisitions happen primarily for reasons of combining customer bases and intellectual property or data. For many businesses, such property is their lifeline. If a business is breached during the M&A process, the very reason for merging is put in jeopardy. It is also a time in which businesses are vulnerable to such attacks as their primary focus is on the process of M&A resulting to a higher possibility of data breaches. Since it is critical business property that is lost, the added fact that this property is the reason for the merger or acquisition in the first place, and because M&A periods are highly susceptible to data breaches, this period in any business’ lifecycle is critical from a security standpoint.
Insider threats can be particularly nasty. M&As make employees nervous, rendering them highly unpredictable in many cases. They might start looking for new jobs and aggregating company data to take to new employers. Specifically, privileged users are a major threat as they are privy to sensitive information. Such users are not just executives, but IT admins with panoramic access to a business’ IT systems which they must maintain in the course of their jobs. Such users might even try to leverage their privileged access to retain their jobs or steal maliciously to get back at their employers.
There are other forms of insider risks that occur during a merger. Compromised passwords written down on paper or in computer documents, malicious links in emails that are clicked, and sidestepped security policies are all an even bigger threat during M&As.
A business needs a dependable IAM solution during M&A to mitigate these risks. Different dimensions of identity and access management help in different ways to ensure that M&As can go smoothly without the hassles of security breaches. Single Sign-on (SSO) prevents compromised passwords due to password fatigue. Password Management ensures that password policies are enforced, and stringent measures are taken when passwords are reset. Identity Governance and Administration (IGA) employs Access Recertification campaigns. These are periodic reviews of all accesses within an organization. An access that is flagged as inappropriate can immediately be dealt with. Many mandates such as GDPR and SOX must be complied with as well; non-compliance can put a halt on an M&A, damage company reputation, and cost millions in compromised data and loss of reputation. Privileged Access Management (PAM) is another robust solution to prevent the risk of compromise and data breach that privileged accounts carry with their elevated capabilities.
Additional IAM modules such as context-based authentication and adaptive authentication can further mitigate insider threats. Context based authentication ensures that authentication attempts are valid only when predefined criteria of time, location, and other factors are met. Adaptive authentication tracks user behavior and bars access when behavior sways too much from normal. For instance, if an account is being logged into from one geographic location and then from another, impossibly distant one, in a short time frame, the system can detect this and lock the account. It can also detect suspicious behavior as employees who suddenly start staying late at the office typically represent a possible insider threat. Such employees are often disgruntled and causing a breach might be playing in their minds.
IAM offers other benefits during and after mergers and acquisitions. Merging entities will likely have differing policies and processes for managing user identities. In addition, an M&A might involve a reduction in workforce or reassignment of roles. IAM is critical for integrating all these aspects for a seamless transition into a new business entity.
Mergers and acquisitions are a tough time for the businesses involved. Critical data is changing hands, and roles are being changed or being made redundant. This is a time during which critical assets must be protected. IAM solves a host of security issues with its ability to streamline role changes and detect insider threats. Although IAM is always a nearly essential solution to have on deck, it becomes indispensable during mergers and acquisitions.
Compact Identity from Ilantus is one such comprehensive solution that will prove extremely beneficial during M&As. It offers a range of features and modules that cover IAM, Password Management, IGA and even PAM. If Compact Identity is in place, executives can focus on the more important task at hand of completing the merger or acquisition seamlessly without worrying about probable security complications.