For many modern businesses, mergers and acquisitions (M&As) are key levers for growth, expansion, and evolution. For security teams, however, M&A activity comes with a significant workload — and serious risk.
The systems landscape of even a midsized organization is more complicated than we could have imagined 10 years ago. Bringing two of them together, each with its own complex architectures, policies, and security controls, is a titanic endeavor that can take years.
Over the years, security teams have approached M&A from every angle imaginable. So far, it’s amounted to finding 100 ways to not make a lightbulb. That’s because perimeter-based legacy systems have never been flexible or granular enough to truly harmonize two independently formed infrastructures.
According to an IBM Institute for Business Value (IBV) survey, “More than one in three executives [responsible for the M&A functions at acquirer organizations] surveyed said they have experienced data breaches that can be attributed to M&A activity during integration. Almost one in five experienced such breaches post-integration.”
The IT challenges that come with M&As include:
But there’s one more thing organizations inherit in a merger, one asset that is harder to modernize, secure, or predict than any other: users.
As you onboard workers from the acquired company and transition them to new technology that’s properly configured, these new users present new vulnerabilities. In an M&A transition, the work of change management is almost always underestimated. Even if they don't bring bad security habits, acquired users still face the challenge of learning to work in a new way, according to new processes and policies.
According to a Deloitte study, “During integration, unclear roles and responsibilities, disgruntled employees, modifications in the operating model, language barriers, and location changes may prove to be a challenge.” These challenges can lead to increased cybersecurity risks.
Further complicating matters, ineffective onboarding practices contribute to an average of 34% of acquired employees leaving within the first year – a significant factor when it comes to the high rate of M&A failures. Thus, your ability to onboard and ramp up new users can make or break a merger.
Here’s what you should know about making this integration process go as smoothly as possible – and how zero trust can help.
While all companies face the threat of cyberattacks both externally or from within, M&As exacerbate issues regarding trust and access for internal team members.
Ideally, the acquiring organization leverages the acquired organization’s identity source (such as Active Directory) just enough to create new user accounts, then scraps the rest. But if the right shell scripts aren’t set up on both sides of the merger, it takes a ton of work to determine user groups and necessary permissions for all acquired employees.
It’s easier and faster to simply tie an acquired network to your own and allow all traffic from the acquired firewall into your network. While this approach presents far more risk, many organizations do it this way because it is the simplest option. What makes it challenging is how difficult it is to use multiple identity providers, especially those across different domains.
Even under the best circumstances, there are many unknowns to taking on a large number of new employees who weren’t hired directly by you. In a worst-case scenario, you may acquire employees who are disgruntled, untrustworthy, or waiting for the right opportunity to attack. An acquired company’s employees should be seen as third-party, high-risk users when it comes to trust, security, and accessibility. In other words, they should be treated with the same level of scrutiny you would apply to an outside vendor or contractor.
Researchers estimate that the average annual cost of internal data breaches is $11.45 million, and more than half of these breaches are the result of negligence. Even when employees aren’t acting maliciously, they may end up as unwitting accomplices for cybercriminals who take advantage of security weaknesses.
When bringing in a new company, you want to get workers ramped up as quickly as possible. Most of these employees will already have laptops from the acquired company – so getting them straight to work should be easy, right? Not so fast. Unknown factors related to the software and current security measures on these external devices can introduce a host of potential vulnerabilities.
In addition, you’re likely inheriting a number of users who will work remotely in some capacity, either as hybrid or fully remote employees. In a post-pandemic world, the trend of a remote workforce is likely to continue growing. Whether these employees are working from a personal device or a device configured and issued by the acquired company, that can be an unknown and a risk.
At the same time, provisioning new laptops takes time and a significant amount of money. Your IT team must configure these new devices, install the proper applications and agents, and manage other technological issues that employees may face.
The answer to high-risk users, including those who join your company via an M&A, is zero-trust access. With zero trust, no user is granted inherent trust nor does anyone get access to the full network.
The implicit trust and network access extended to users in the traditional perimeter security model opens the door for cybercriminals to gain easier access as well. The zero-trust model, by contrast, reinforces security on a granular level by authenticating and then continuously authorizing all users and devices, including those who pose the highest risk.
The zero-trust model will improve the security posture of any business and provide a substantial advantage following M&As due to the speed, flexibility, simplicity, and ability to integrate with existing systems.
The zero-trust model allows acquiring companies to:
Enforce access controls that minimize entry points that attackers could exploit.
Strengthen connectivity controls to remove the keys that enable unauthorized connections.
Improve oversight controls by understanding the details needed to generate compliance reports.
In addition, zero trust helps organizations adhere to the principle of least privilege regardless of who the user is — whether they are a veteran employee or a newly acquired one — and the managed or unmanaged device they are using.
All users must verify their identity using an advanced authentication system such as multi-factor authentication (MFA) or single sign-on (SSO), and after doing so they will be granted access only to the specific application or data they need to do the job at hand. Being able to federate distinct identity providers from both organizations allows this trust to be earned, no matter where the user originates from. In this way zero trust prevents would-be cybercriminals from piggybacking off of legitimate users to gain access to the entire network.
When onboarding a mass number of new employees during an M&A, delays can be costly and can also prolong existing security vulnerabilities from the acquired company’s systems. Adopting a zero-trust approach solves this issue because of the speed and ease with which it can be applied to existing systems.
Zero-trust access empowers acquiring organizations to connect new employees instantly without migrating users and networks and while enforcing the highest security standards. By creating policies that determine which devices and users can access which systems and applications, zero trust access enables connecting users in a day instead of months.
In the end, the goal of an M&A is to introduce new synergies and to grow revenue. It is important for newly on boarded employees to get to work immediately on the equipment they already have – and, just as important, to continue following their regular routines. Any disruption to this process, including cybersecurity events, are unacceptable. In the aftermath of an M&A, it is critical both to avoid unnecessary disruptions and to minimize the time spent setting up the new system for new employees.
At Cyolo, we believe that the employee onboarding process that follows an M&A can be painless and secure. Wherever you are in your M&A process or zero trust journey, we can help simplify security as your business expands and evolves.
Samuel is the Director of Product Marketing at Cyolo. Before cybersecurity, he spent 7 years working in the ER and loves to tell stories. He is the husband to one, father to four, lives in Bozeman, MT, and would rather be outside. He holds an M.A. in Strategic Leadership from Life Pacific University.