How to avoid an identity management crisis during the M&A process| April 27, 2022
Mergers and Acquisitions are occurring at a record rate. They are a great way to create new opportunities, allowing enterprises to reach new markets, enable growth and lead to success for all involved. But according to most studies, acquisitions fail 70-80% of the time. Most explanations for these failures are because of problems with integration of the companies involved.
Much of the responsibility for transitioning falls onto the shoulders of IT and their leadership because of the digital nature of employee identities. Companies that are acquiring new ones frequently must manage different platforms and identity systems.
So how does IT leadership go about merging disparate systems and maintain security when organizations are in a vulnerable position?
THE M&A CHALLENGE
When a merger is completed, a lot of hard work lies ahead. Departments must be synced, meaning employees need to be able to communicate across additional locations and be able to access resources. This can be a slow and painful process.
The first thing to do is figure out how to get existing and newly acquired departments to work together. This means finance, IT, sales, and operations will see duplicate roles and there will be a lot of change and transition to manage. Roles will change, employees will leave or change positions and departments will be merged.
For IT that means there will be many user accounts that will need their roles updated, application access changed or revoked. The potential for orphan accounts increases dramatically raising the risk for security breaches. This means understanding which accounts belong to actual users is incredibly important.
CYBER SECURITY RISK IS INCREASED
Ghost accounts will build up without a strong approach to the employee exit process. Managing the process with a spreadsheet and phone calls is not an effective way to manage massive changes for hundreds or even thousands of employees.
Accounts that are left behind are not managed quickly and effectively are a prime target for cyber criminals. They have easy pickings and lots of opportunities to breach open accounts. Also, the risk of former employees exploiting their accounts is at it’s peak risk. And they an wreak havoc or cause catastrophic problems if they have privileged accounts or ones with administrative access.
The problem is compounded when you consider that this issue can be spread across multiple platforms and applications.
HOW TO MANAGE THE PROCESS
For IT and cyber security teams, it is best to begin by developing a basic understanding of the identities and platforms in use by all the organizations involved in the merger. Then find out how many accounts belong to real employees who are currently employed and how many are orphaned accounts that should be archived. This can become a manual process that involves HR as well as department managers.
Automating the process of identities is a way to increase the speed and accuracy of creating and managing identities that are still in use and discovering and archiving ones that are not. Having newly acquired employees enroll in an automated identity management system will get them into the existing IT ecosystem and allow them access to the proper applications. Then the security team can focus on cleaning up old identities and put all users on the same preferred platforms.
When a company has a quality identity management platform, IT and Security can quickly merge newly added employees into the existing system and clean up accounts that are no longer needed before cyber criminals and bad actors have a chance to exploit these weaknesses.