IAM in an M&A World: Finding the Right Balance Between Security and Efficiency

Make no mistake, the pace of mergers and acquisitions (M&A) has reached a fever pitch in the last year. Throughout 2021, M&A activity has continued to trend sharply upwards—with the rate of announcements projected to be the biggest ever in recorded history. Based a recent report in S&P Global Market Intelligence, by the second quarter of 2021, the “total global M&A value surpassed $1 trillion,” and recent estimates from Refinitiv data place the value of pending or completed deals around $3.6 trillion this year—with more than $2.14 trillion attributed to the United States alone. This intensifying level of M&A deals has surpassed activity in 2020, accounting for a 24% jump in the last year to more than 35,128 deals, according to Refinitiv.

These staggering data aside, the real impact of M&A can be daunting for organizations trying to maximize the value of the merged or acquired company in light of all the complexities surrounding resources and access. It is crucial to strike the right balance between security and efficiency when it comes to managing access. While every organization faces ongoing access challenges, companies going through M&A activity are especially susceptible to access risks based on the significant changes in the business. In this blog, we will examine specific pressures that companies going through M&A can experience, and identify how to achieve the right balance between security and efficiency with strategic access management and identity governance policies and programs.

What Access Risks Can Arise During M&A Activity?

When organizations merge or companies are acquired, one of the most essential items to dig into right away is the levels of access employees currently have and what they need to successfully complete their jobs. Employees require access to multiple systems, applications, and data—from customer relationship management (CRM) platforms, human resource information systems (HRIS), and workforce collaboration tools to more specialized platforms, like accounting systems, banking software, or patient care applications.

And while access to these systems is paramount, too often, rapidly enabled single sign-on (SSO) access is granted to newly acquired employees, creating inherent risks to the organization. Obviously, the business needs to quickly provide access to new users, but it can create situations where access is granted without taking into account a least privileged approach.

According to the 2021 Identity and Access Management Report, 77 percent of organizations indicate having users with more access privileges than required. And that leaves them vulnerable to unauthorized access to sensitive data, applications or systems across their network—even if the unauthorized access is not intentional or by a threat actor.

Another access challenge that arises during M&A is underprovisioning employees. While it is better to err on the side of giving users too little access than too much, underprovisioning can lead to employee frustration and inefficiencies, especially for roles that require greater levels of access. When you do not provide enough access during the M&A integration process, it can disrupt productivity for the entire team, and it means specific users do not have the right access to do their jobs. For customer-facing or B2B roles, this can also impact the bottom line. Underprovisioning can also introduce an unexpected security risk—for critical job functions, a user without the appropriate level of access may be forced to borrow that access, creating a new element of risk and lack of accountability.

Unused or unnecessary entitlements can also present a major access risk where permissions are not needed, but are granted anyway. During the integration process, managers or application owners may avoid getting rid of unused or unnecessary entitlements because they are afraid it might interfere or impede user access. And subsequently, when new tools are introduced and older applications are retired, old security groups, profiles, and entitlements are not reviewed or adjusted. This can lead to access that is no longer approved for the user as well as unforeseen policy violations across applications, including segregation of duties (SoD) policy violations.

During M&A activity, some organizations may also only look at access that is directly assigned to employees, contractors, or contingent workers. But nested access, or access relationships stacked and hidden underneath the top tier of access, are often overlooked and not well understood. This happens because assigning one entitlement with nested access can actually create more access than anticipated and open the organization to more risk.

Finally, and perhaps most importantly, during a merger or acquisition, understanding privileged account access is vital. Privileged accounts are elevated levels of access to valuable data with the ability to execute any application, collaboration tool, or transaction, typically with inadequate or no tracking or control. Often, hundreds of privileged accounts can exist between combined organizations and can be used to do virtually anything, with little or no oversight.

Achieving the Right Balance of Security and Efficiency During M&A Activity

Having an understanding of these critical access risks is essential during M&A as the pressures of the business place even greater demand on effectively managing user access. Organizations must identify how to achieve a balance between user security and efficiency. Too often, companies lean to one side or the other—either prioritizing security concerns at the cost of the user or customer experience, or emphasizing the ease of the user and customer experience in accessing company systems at the expense of security.

During some mergers or acquisitions, organizations may emphasize security over efficiency, causing employees to struggle with accessing company systems or requiring them to jump through multiple security hoops each time they want to access business applications. For example, when mergers occur in financial services between banks, sometimes frontline workers, like tellers or loan officers, may not have correct access levels to new core banking or loan origination software starting on day one—or the access may be disrupted in some way. This means they are unable to serve customers or borrowers accordingly—leading to a loss of reputation for the institution and causing potential financial loss as well.

Conversely, some M&A activity leads to companies focusing too much on creating an easy user experience for newly acquired employees, so organizational security suffers. For example, if a newly acquired senior accountant is given carte blanche access to the primary AP system, he may have the ability to both create a purchase order and approve it—violating a critical Segregation of Duty (SoD) policy that could have been avoided if security and efficiency were better balanced.

When companies come together, the challenge only grows without the right identity governance and access management approach. The growing number of systems, devices, applications, and users intensifies the complexity of identity and access management (IAM). During the critical M&A transition, many organizations lack a proactive and centralized process to manage and audit user accounts, and have very little visibility into the actual access levels users possess. Combined together, these factors make it very difficult to limit risk within the business, especially as newly acquired employees join or leave the organization.

Essential Identity and Access Management Programs During M&A

Achieving the right balance of security and efficiency during the merger and acquisition process requires companies to leverage strategic identity governance and access management programs throughout the course of M&A activity—and beyond.

• Role-Based Access Control: Prioritizing role-based access control enables companies during M&A to also restrict or provide access to resources based on a user’s role within the newly formed organization. By designing roles prior to or as part of the M&A planning activity, organizations can have solid, predefined, and preapproved access policies in place, and know specifically which access privileges each person needs, and what access to grant and remove. Roles aren’t directly tied the title or position someone has, but rather defined by the access they need.
   
• Automated Provisioning: Another way to increase the balance between security concerns and the desire for user efficiency is to automate provisioning actions based on the user’s lifecycle. During M&A, this typically starts with the newly acquired employee joining the business and concludes with the user separating from the organization. In between these events are multiple changes and access requirements that must be managed closely. These provisioning tasks should be categorized as bulk requests and fulfillment throughout the M&A process.
   
• Privileged Accounts: Effectively managing privileged access has become a top priority for many organizations during M&A seeking to protect their data and systems from unauthorized users. With full control over privileged accounts, IT and security teams can help prevent internal and external attacks on critical systems before they start. Best-in-class privileged access management solutions centralize management of administrator profiles and restrict native privileged commands from being executed by unauthorized users. By offering granular control of privileged account delegation, companies can enforce which commands can be executed by role—eliminating password sharing and ensuring least privilege access is better enforced by giving privileged users only the access they need.

• Periodic Access Reviews: Organizations going through M&A activity should also take advantage of periodic access reviews. These include manager reviews, application owner reviews, role reviews, and even micro-certifications, to ensure a set of controls can quickly identify anomalous access. This means that when an access event is triggered where a newly acquired employee may have new or different access and entitlements than what is expected, or gains access through an outside process, commonly referred to as ‘out of band,’ a manager or business application owner will be alerted and can perform an access review immediately associated with the risk event. 

• Identity Analytics: Organizations that want to mitigate access risks should leverage intelligence to understand what risks are most pressing in their organization. In fact, the success of identity and access management programs can be greatly improved through identity analytics that increase visibility and insight into an environment. This means gaining a comprehensive view and analysis of the relationships between identifies, access rights, policies, and resources that occur across each company part of the M&A activity.

The Demands of M&A Require More of Identity and Access Management

It’s clear that the unprecedented level of M&A activity in 2021 is not slowing down any time soon. For those organizations going through the M&A experience, it is possible to achieve success by ensuring users have appropriate access levels and establishing solid identity and access management policies. Adopting a sound IAM approach goes a long way towards bolstering overall risk management and achieving the ideal balance between organizational security and user efficiency.