Updated April 24, 2023. Originally published May 5, 2021.
A merger and acquisition (M&A) is a landmark event for a company. It’s a huge growth opportunity and can let organizations break into markets they weren’t previously able to. However, M&As cause a lot of sleepless nights for even the best IT and security teams. From asset inventories to risk evaluation to consolidating the two companies’ security processes, any M&A presents a long road ahead for IT and security teams.
That said, an M&A doesn’t have to be quite so grueling. By definition, M&As typically require a quick, large-scale integration of new networks and/or users. With zero-trust access, organizations can onboard new systems and users with less stress and less risk. For interested CISOs, CIOs, and other stakeholders, we’ve designed a checklist for securely connecting new users after an M&A.
Executives overseeing M&As have seen this increased vulnerability to cybercrimes play out repeatedly. An IBM Institute for Business Value (IBV) survey found that, “More than one in three executives surveyed said they have experienced data breaches that can be attributed to M&A activity during integration. Almost one in five experienced such breaches post-integration.”
1. Assess Existing Security Measures
Once an organization decides to purchase another business, the first task for the CISO/security leader is to closely examine the security measures currently in place at the company in question. Check into their regulatory compliance, determine who has access to data and information, understand how third-party vendors and contractors connect, and identify which technologies and tools are used.
Once you have a good understanding of the security measures the acquired business has in place, now you can take a deeper look at how effective those measures have been:
First, check for incidents of breaches and leaked data in the past. If these incidents occurred, examine the steps the company took to reduce exposure and improve security posture afterward.
Second, run a vulnerability assessment. You can use tools like vulnerability scanners, penetration tests, and more.
Third, examine if the company is using any vulnerable security tools, like VPNs or outdated antivirus software.
Fourth, aggregate your results and build a remediation plan for the acquired company to implement.
Finally, assume breach and integrate accordingly.
2. Find and Document Legacy Applications
Many companies operate on a policy of “if it ain’t broke, don’t fix it” when it comes to updating certain homegrown and legacy applications. While this may seem economical, it can lead to massive headaches and security risks during an M&A. It’s best to have a comprehensive codex of legacy applications to better understand what points of failure exist in your new cybersecurity ecosystem.
Once you’ve cataloged all these new legacy systems, you can create a strategy for how to best modernize them. Thankfully, tools like Cyolo’s zero-trust access platform exist to help bring these outdated applications in line with modern cybersecurity practices like multi-factor authentication (MFA) and single sign-on (SSO).
3 . Build New Access Policies
Fusing users from two separate groups into one requires new access policies that will enable seamless connectivity. For example, if two users from each company have the same IP address, or two apps require different Java versions – this can cause a lot of confusion within the system.
Fortunately, access control is where the zero-trust model shines. Zero trust lets you connect users instantly without migrating users or networks, all while still enforcing the security regulations of the purchasing company. By creating policies that determine which devices and users can access which systems and applications, zero trust can connect separate user groups in days instead of weeks or months.
Companies also don’t necessarily need to undergo a resource-intensive migration process, because zero-trust access isn’t network or IP-dependent. Instead, it secures based on identities. For example, when migrating an IdP, e.g Azure AD or Okta, zero trust connects straight to the new IdP, without moving the users or even touching them. In addition, if the company does decide to migrate, zero trust can offer connectivity support and ensure migration takes place with little to no downtime. This can be a massive boost to your company’s productivity in the wake of an M&A.
4. Integrate the Organizations & Get to Work!
Once you’ve set up these new access policies through zero trust, you’re now all set to implement them. You’ll be able to minimize potential points of entry for hackers, strengthen connectivity controls, and improve oversight all while keeping your users seamlessly connected from anywhere.
How Zero Trust Significantly Shortens M&A Time-to-Value
Once an M&A officially closes, a chaotic hurricane of action is set in motion. Cross-connecting new sites requires substantial amounts of planning and resources, both technical and organizational – but is essential for building the business, ensuring technical capabilities, and complying with regulations and standards.
Zero trust can simplify and streamline this process. Instead of months and even years of discussions and implementation before connecting the merging companies, zero trust enables users to immediately and securely access any application they might need, regardless of network infrastructure. This means, instead of spending valuable time creating a new implementation plan, all you really need to do is determine policies, which can take less than an hour.
With zero trust, organizations can save a significant amount of time, prevent endless IT headaches, and empower users to get to work quickly and securely.
