Acquiring and merging with other companies is a high-octane growth strategy. In the tech industry, it’s often one of the best ways to acquire new products and highly skilled staff. Unlike organic growth, M&A growth practically happens overnight. There’s a dark side to high growth: stretching your cybersecurity protection too thinly across too many systems and users.
Why You Need This Access Management Checklist
Every acquisition brings a new level of risk and scale. Your business systems and processes are probably lagging. Many companies, even the best managed, get excited at the prospect of high growth. Seeing the P&L leap up 50%, 100%, or more is exciting. However, if you forget to invest in your systems, your M&A growth will lead to higher security risks. Worse, the impact of those risks will be magnified because you now have many more customers than you did before. Use our checklist to organize your work.
The Post M&A Access Management Checklist
The checklist is divided into sections; each one builds on the previous section. Work through each step to get the most benefit.
Discover the High-level Gaps
- Compare the cybersecurity policies for the organizations
Usually, large companies tend to have more processes and policies than small firms do. If you’ve acquired a small company, find out what policies or comparable processes it has for cybersecurity. You want to determine where there are different hard rules and expectations.
- Evaluate experience with cybersecurity incidents and problems
Find out how the companies have responded to real-life security incidents. This may include phishing, ransomware attacks, and beyond. An organization that has never been “battle-tested” is likely to struggle more than an experienced organization.
Tip: Don’t assume that you’re free from direct attack because you run a smaller company. Inc. Magazine reports that 50% of all cyber attacks target small companies.
- Determine management support for cybersecurity
Evaluating this factor is more difficult than the previous two points. There are two indirect ways to assess this point. First, look at the organization chart. Is there a manager or executive with clear accountability for cybersecurity? If the answer is no, you have a heightened risk exposure. Second, review executive presentations, town halls, and messages. How often are cybersecurity responsibilities emphasized? When employees see that managers only care about growth, security is likely to be a second-tier priority at best.
Dive Deeper into Access Management
Now what we know how the overall status of cybersecurity has been impacted by growth, let’s look more closely at access management.
- Are inactive user IDs managed?
In our experience, inactive user ID management is an acid test for how well the organization works. If one of the acquired companies has no process or list of inactive user IDs, that’s a red flag. You’ll need to work hard at getting an understanding of your inactive user IDs. Since inactive accounts tend to increase over time and attract little supervision, there’s a heightened risk of misuse.
- How Manual Is Access Management?
A strong desire to take care of access management is excellent, but it’s not enough. If staff members have to use spreadsheets and manually ask others to confirm their IDs by email, you have a manual process. When business gets frantic and busy, which is more likely than not in a high-growth company, these manual access management processes are likely to be ignored.
Tip: To assess the manual nature of the process, informally survey people from the acquired and acquirer. Find out how many steps are involved in managing access. Further, listen carefully for cases when employees sound frustrated, impatient, or bothered by access management. Those signs of discontent mean access management is likely to have gaps because it’s a frustrating process.
- What Access Management Software Is Used?
Do you have more than 10 employees? Do you have a software development team? If you answered yes to either question, you need to have access management software in place. As you continue to grow, take a step back and question whether your access management solution still makes sense. Reporting, controls, and audit logs all become more critical in a larger organization.
Using Compliance Auditor, you’ll never be in doubt about the state of your access oversight. All access history is kept in one place. That means your internal audit group can get everything it needs to review internal controls. For your managers, that means you’ll have faster, pain-free audits.
Tip: With M&A growth, it’s natural for different companies to have different access management packages in place. However, you should set a plan to standardize to a single solution. If you persist with multiple solutions, IT will have to scramble to manage around the gaps caused by using different applications.
- What Access Management Reporting Is in Place?
Question: Have you added new applications or had any employees change roles in the past 12 months? If so, then your plans for access are likely out of date. How do you get back on track? You need a reporting and monitoring program. There are two dimensions to making monitoring work.
- Software automation: Producing reports on demand must be easy. You need to know if access requests are being approved and denied according to your policies. In Compliance Auditor, your past decisions are stored so you can make faster decisions.
- Schedule: Adopt a monthly or quarterly schedule to verify access changes. If your M&A activity is high (i.e., more than one acquisition per year), consider increasing the frequency.
By following the two practices above, your security protections will keep pace with your growing organization.
What’s Next After You Get Access Management Under Control?
With access management controls in place, password control is your next stop. Find out how to provide better password management for your employees. If you have limited time, you might also want to use one-hour hacks to improve IT compliance.
