Every day on LinkedIn, you can find another happy announcement from a company that just bought another company, prompting cheers and congrats all around.
And while it’s typically great news for investors (and, sometimes, employees) when one company welcomes another company into the family, these unions can sometimes spell trouble for IT and security teams working hard to protect their own identity systems from cyberattacks. (Even before the deal is closed, cybersecurity concerns can derail the plan.)
Anyone who’s been involved in mergers and acquisitions (M&A) activity knows the drill: On Day 1 of the announcement, there’s a sudden urgency for both companies to access the same files, have the same company email domain, merge accounts with third-party vendors – and the list goes on. All this access enablement requires the two companies’ identity systems to work together.
The rush to provide seamless access can have disastrous security consequences: 62 percent of organizations state that they face significant cybersecurity risks by acquiring new companies and that cyber risks are their biggest concern post-acquisition.
Mergers and acquisitions expand the attack surface by inviting in a group of users that haven’t been part of the acquiring company’s security program. They also merge identity and access management (IAM) infrastructure, policies and administrative processes that might not share the same cybersecurity standards.
And the potential for exposure is higher if both companies rely on active directory (AD) as their core identity store – as 90% of businesses worldwide do. AD is a soft target for cyberattacks because of inherent security gaps (due to its age) and misconfigurations that have accumulated over the years. Bringing two companies’ active directory configurations together in a way that gets business done – securely – can be a daunting task, requiring concerted effort between both companies’ IT and security teams.
Evaluating M&A Cybersecurity Risks Takes Time and Resources
Equipping teams with the necessary time and resources to conduct a thorough review of cybersecurity risks is critical to forestall potential attacks. Maintaining and increasing cybersecurity before, during, and after M&A activity requires:
- A strategic plan for evaluating the new acquisition’s active directory vulnerabilities as part of due diligence: Assessing the security posture on both sides of the merger should not be just a point-in-time exercise to close the deal, but an ongoing assessment of new risks and indicators of exposure or compromise. Tools like Purple Knight, a free AD security assessment tool, can help companies identify typical AD weak points. In addition, security assessments conducted frequently will help identify risky misconfigurations or malicious changes.
- Review of the vulnerabilities in hybrid identity system access points: The two merging companies will likely be at entirely different points in their journey to the cloud. Many organizations have implemented hybrid identity systems that use both on-premises AD and Azure AD – and those are particularly vulnerable to attacks, as in the SolarWinds breach. IT and security teams need to watch for security gaps in Azure AD connections that could open paths to on-premises active directory, and vice versa. As demand for access across organizations increases, continuous monitoring for new threats across the hybrid identity system is essential to block potential attack entry points.
- Visibility into advanced AD attacks that traditional logging solutions miss: The acquiring or the acquired company might have SIEMs or other solutions for threat detection, but some attack methods bypass these. Consider whether the merged organization’s current solutions can capture changes even if security logging is turned off, logs are deleted, agents are disabled or stop working, or malicious changes are injected directly into AD.
- Confidence that you can recover the newly acquired company’s AD forest if it’s attacked: Either the acquiring or acquired company might have a solid disaster recovery plan. But if it’s not cyber-resilient – meaning that you could quickly recover all the company’s domain controllers if attackers infected them or wiped them out – then the entire merged organization’s business operations are at risk.
Organizations that are on the M&A path are right to be concerned about the cybersecurity risks of joining two entities. However, a carefully developed plan for identity and access management between the two companies is essential to keep cyber attackers at bay during the transition period – when every cybersecurity process, protocol and assumption will be tested.
