Customer story:
Bank assesses identity risk to complete merger and acquisition (M&A) safely
Assessing the security posture of another bank they are acquiring
Finding identity vulnerabilities – when they had no other solution
Tight and inflexible deadlines for the closing of the acquisition
Deployed Illusive for a one-time assessment of the bank being acquired
Comparison reporting against their own continuous assessments from Illusive
Full identity assessment of the acquired bank in less than 30 days
Discovered thousands of critical identity risks that were completely unknown
Concrete, quantitative data persuaded executive team to delay full IT integration until issues were addressed
I’M GLAD WE USED ILLUSIVE, EVERYONE SAW THE VALUE. IT’S A PLAYBOOK WE’LL CARRY FORWARD THROUGH THE NEXT M&A.”
A bank holding company and its affiliates provide consumers, small and middle-market businesses, corporations, municipalities, and other organizations with a comprehensive suite of banking and other financial services.
WE HAD AT MOST FOUR MONTHS, FROM THE ANNOUNCEMENT OF THE TRANSACTION TO THE CLOSING, TO EVALUATE THE OTHER BANK’S IT SECURITY POSTURE. WE NEEDED TO KNOW IF WE COULD TRUST THEM”
The company operates in an industry where consolidation is the norm. Over the last 20 years, the number of FDIC-insured commercial banks has dropped almost by half, primarily because of acquisitions. Each time this bank has gone through the process of a merger and acquisition (M&A), their IT department has needed to consolidate different systems, software, data, processes, and organizations. If any bank acquires an organization with a weaker IT security posture – or even one that’s unclear to them – it can put the company at risk. Conducting a security assessment is critical, and often it needs to be done under tight time constraints.
Since identity security underpins their entire security posture, getting an understanding of potential identity vulnerabilities at the acquired bank was critical. As an Illusive customer, the acquiring bank was familiar with the solution and highly valued its insights:
“We’d been using Illusive to continuously scan our workstations for six months or more, so we were familiar with the insights it could provide.” - Director of Cyber Security Engineering
With the help of the Illusive field engineering team, our customer had the acquired bank perform a wide-ranging identity assessment, a process which took less than 30 days from beginning to end.
The Illusive evaluation of the acquired bank was critical in producing a risk scorecard comparing the two IT organizations, and in this case, there was enough risk to convince executives that the IT environments needed to be kept separate, at least initially. Although there were several identity risk areas, one quickly jumped out:
“The smoking gun on this was the number of domain admins on their workstations, 3000 of them! It just showed the state of their security hygiene. Anyone compromising one of those workstations would have had control of the whole environment. They didn’t know about it either, so they worked on cleaning that up.” - Director of Cyber Security Engineering.
The overall results of the Illusive comparison were compelling.
“It would have been a lot harder discussion without Illusive – to justify the increased protection we felt we needed at that initial point.” - Director of Cyber Security Engineering.
In addition to M&A situations, the bank uses Illusive to continuously scan their own environment for identity vulnerabilities, as part of a complete solution for threat and vulnerability management.
