One Identity has released new global research revealing that many organisations across the globe fall short of effectively managing access for third-party users, exposing them to significant vulnerabilities, breaches and other security risks.
Based on a Dimensional Research-conducted survey of more than 1,000 IT security professionals, the research evaluates organisations’ approaches to identity and access management (IAM) and privileged access management (PAM), including how they apply to third-party users – from vendors and partners, to contractors and seasonal workers. Among the survey’s most noteworthy findings are that while 94% of organisations grant third-party users access to their network, 61% admit they are unsure if those users attempted to or successfully accessed files or data they are not authorised to access.
According to Gartner, the majority of organisations today rely on an increasing number of third-parties for business services compared to three years ago. With an expanding group of users gaining access to an organisation’s network comes an expanding cybersecurity risk surface, and it is critical that businesses take the proper steps to manage and govern third-party users and their access in the same way they manage and govern internal users. However, One Identity’s survey reveals that many organisations are not implementing strong user governance and access practices, leaving them vulnerable to cyber compromise. Additional top findings from the report include:
- Third-party user access to the corporate network is ubiquitous, but what information those users access is worryingly unclear at many organisations.
- Ninety-four percent of respondents say that third parties access their network; 72% give third-parties privileged (administrative or superuser) access.
- Only 22% know for certain their third-party users are not attempting to access or are successfully accessing unauthorised information.
- Nearly one in five (18%) report third parties have attempted to or successfully accessed unauthorised information; more than three in five (61%) don’t know for certain if this has happened.
- Ineffective third-party user lifecycle management practices are widespread, which puts organisations at increased risk.
- Only 21% of organisations immediately deprovision (or revoke access for) third-party users when the work they do for the company ceases.
- One-third (33%) of organisations take more than 24 hours to deprovision third-party users or do not have a consistent deprovisioning process.
- Organisations predominantly lack confidence that third party users follow security best practices and policies—and likely trust them too much.
- Only 15% are very confident that their third parties’ follow access management rules, such as not sharing accounts and ensuring password strength.
- One in four (25%) suspect third parties do not follow the rules or know for certain they do not.
- However, 45% of respondents trust third-party users the same amount or more than they do their own employees to follow their organisations’ security policies.
- Retail is the most at-risk industry when it comes to third party access.
- Nearly three in 10 (28%) retail organisations admit third-party users have successfully accessed or attempted to access files or data that they were not authorised to access.
- One in five (20%) of financial services organisations, 17% of technology organisations, and 14% of healthcare organisations have experienced the same.
- One in four (25%) respondents from retail organisations say they give all or most of their third-party users privileged access. By comparison, the same holds true for 18% of technology organisations, just 10% of healthcare organisations and only 10% of manufacturing organisations.
“Third party users are necessary in the day-to-day operations of most modern organisations; however, if third-party access is improperly managed, the security risk associated with these users is detrimental,” said Darrell Long, vice president of Product Management, One Identity. “Organisations must recognise that their security posture is only as strong as its weakest link (typically third parties connected to their network), making it absolutely vital that they manage third party identities and access just as they would their own employees’.”
In order for organisations to prevent becoming the next victim of a breach due to unauthorised third party user access, as has happened in prominent recent breaches, a strong security posture built around privileged access management (PAM) and identity governance and administration (IGA) is critical. According to One Identity’s “Third Party Access and Compromise” study, many companies struggle to implement some of the most basic PAM and IAM practices when managing third-party users, such as immediately deprovisioning users and ensuring rules for managing access (such as not sharing accounts and credentials) are being followed.
One Identity helps organisations tackle their biggest IGA and PAM challenges across all users, including third parties. By offering an end-to-end suite of identity governance and administration and privileged access management solutions designed to virtually eliminate the complexities and time-consuming processes often required to properly manage and govern identities across standard users and privileged users and across the hybrid enterprise including the ubiquitous AD / Azure AD environments, One Identity helps organisations minimise third party access challenges and risks, putting them in a better position to defend themselves from breaches and other security incidents.