By: Jonathan Sander, VP of product strategy for Lieberman Software
Commencing a Mergers and Acquisitions (M&A) deal, is like buying a new home. Due diligence dictates that the buyer understands all of the risks, where there are weak points, leaks or any other risks that will be inherited. To do this, the buyer will bring in an inspector, or in the case of a merger or acquisition, a third party to clue up the buyer to any potential sticking points. But also akin to buying a home, the true faults don’t begin to show until you’ve lived with them – or done business with them – for a while.
When purchasing a new company, naturally cyber security is often not a top priority and any inspection pre-merger will consist of a casual examination of the results in IT systems, audits of data dumps and a walk-through transaction from the view of the end user. When it comes down to it, both parties are more worried about keeping customers and shareholders happy and focusing strongly on the quickest route to profitability. Therefore, post M&A consolidation of the two companies is likely to be rushed. However, rue consolidation can take years to achieve post merger and this is because of the complexity that is realised when bringing two companies together.
And here’s the thing: complexity makes an excellent place for bad guys to hide, whether it’s external cyber criminals looking to take advantage of a chaotic time, or an internal employee feeling uncertain about their position in the new corporate environment. The number one real risk from mergers and acquisitions is that this complexity multiplies overnight when Company A amalgamates with Company B. Cyber criminals under any guise are opportunists and will take advantage while everyone else is distracted.
With that in mind, companies need to anticipate that insecure, privileged accounts are a prominent method used by cyber criminals to gain access into a network and think about how this problem is effectively multiplied when two or more IT environments merge. Privileged accounts provide the gateway for viewing and extracting critical data, altering system configuration settings, and running programs on almost every hardware and software asset in the company. And once one privileged account is breached, it is easy for hackers to move around the network almost undetected.
There are so many privileged accounts in large businesses that many can’t keep track of where all of their privileged accounts reside or who can access them.Unlike personal login credentials, privileged identities are not typically linked to any one individual and are often shared among multiple IT administrators with credentials which are seldom changed, making it even easier for the criminals to worm their way through the network.
So while Organisation A might have well defined processes to keep track of these important accounts, Organisation B could potentially be a mess of who has access to what or over-provisioning (where employees move internally but still have old access permissions). When the two merge, there will also be cases of inherited rights if rules and policies are not well-defined and therefore even more risk is introduced.
Put simply, when two corporate IT environments come together, IT and systems administrators come face to face with one of the biggest IT challenges of a successful merger: privileged identity management.
The problem is that if organisations don’t know where their privileged accounts are on the network, they cannot safeguard them. Think of an ostrich; just because it buries its head and is unable to see the problem doesn’t mean that it won’t get attacked. So the idea is to detect and remediate.
Adaptive privilege management automatically locates privileged accounts throughout the network, brings those accounts under management while auditing access to them. The uncomfortable truth is that in today’s cyber security landscape, cyber criminals can compromise a network no matter what security measures you have in place. Fortunately, with adaptive privilege management security threats can be remediated faster than hackers can exploit them.
For two companies coming together, proactively sorting out the issues surrounding privileged identity management with a view to minimising cyber related risk can build trust and remove arbitrary access to make sure the process is fair.
While mergers and acquisitions can be a thrilling and eventful time in the corporate world,it can also be a highly chaotic time, especially for IT teams and sys admins who need to keep track of employees and sensitive information. When thinking about the number of new staff, the leavers and the movers, it can boggle the mind of even the most astute IT professionals. By keeping a step ahead and taking actions to easily get insight and control over who is accessing what, it can decrease the complexity of bringing two different corporate IT environments together and help keep cyber criminals at bay.