The Third-party Access and Compromise study reveals figures that should raise eyebrows and set security alarms ringing before disaster strikes.

New research released on 26 Nov has revealed that many organizations across the globe fall short of effectively managing access for third-party users, exposing them to significant vulnerabilities, breaches and other security risks.  

The survey of more than 1,000 IT security professionals evaluated organizations’ approaches to identity and access management (IAM) and privileged access management (PAM). It included how these two protocols apply to third-party users—from vendors and partners to contractors and seasonal workers.  

According to Gartner, the majority of organizations today rely on an increasing number of third-parties for business services compared to three years ago. With an expanding group of users gaining access to an organization’s network comes an expanding cybersecurity risk surface. It is critical that businesses take proper steps to manage and govern third-party users and their access in the same way that they manage and govern internal users.

However, the new survey reveals that many organizations are not implementing strong user governance and access practices, leaving them vulnerable to cyber compromise. Additional top findings from the report include:  

Third-party user access to the corporate network is ubiquitous, but what information those users access is worryingly unclear at many organizations. 

  • 94% percent of respondents say that third parties have access to their network while 74% give third-parties privileged (administrative or superuser) access.
  • Only 21% know for certain their third-party users are not attempting to access or are successfully accessing unauthorized information. 
  • 13% report third parties have attempted to or successfully accessed unauthorized information; more than three in five (66%) don’t know for certain if this has happened.

Ineffective third-party user lifecycle management practices are widespread, which puts organizations at increased risk. 

  • Only 22% of organizations immediately deprovision (or revoke access for) third-party users when the work they do for the company ceases.
  • One-third (32%) of organizations take more than 24 hours to deprovision third-party users or do not have a consistent deprovisioning process.

Organizations predominantly lack confidence that third-party users follow security best practices and policies—and likely trust them too much. 

  • Only 13% are very confident that their third parties’ follow access management rules, such as not sharing accounts and ensuring password strength.
  • One in five (19%) suspect third parties do not follow the rules or know for certain they do not. 
  • However, 38% of respondents trust third-party users the same amount or more than they do their own employees to follow their organizations’ security policies.

Respondents varied in their trust levels  

  • Among all respondents, employees were consistently the most trusted group to adhere to organization security policies. For the Asia/Oceania region, employees in Singapore were the most trusted (62%) to do so, followed by those in Hong Kong (57%). Australia/New Zealand employees ranked 6th (50%) among the seven groups, just before France (49%).
  • In France, third parties (18%) were more trusted than in any of the other respondents. This was followed by Australia/NZ third parties (12%). In Singapore, only 5% of respondents trusted third parties, and this was 8% in Hong Kong.
  • In Singapore, while 92% of organizations grant third-party users access to their network, 60% admit they are unsure if those users attempted to or successfully accessed files or data they are not authorized to access, hinting towards a huge security lapse.

Globally, retail is the most at-risk industry when it comes to third-party access. 

  • Nearly three in 10 (27%) retail organizations admit third-party users have successfully accessed or attempted to access files or data that they were not authorized to access. 
  • One in five (20%) of financial services organizations, 17% of technology organizations, and 14% of healthcare organizations have experienced the same. 
  • One in four (25%) respondents from retail organizations say they give all or most of their third-party users privileged access. By comparison, the same holds true for 18% of technology organizations, just 10% of healthcare organizations and only 10% of manufacturing organizations.

Said Darrell Long, Vice President of Product Management, One Identity, the identity authentication specialist that commissioned the survey: “Third-party users are necessary in the day-to-day operations of most modern organizations; however, if third-party access is improperly managed, the security risk associated with these users is detrimental. Organizations must recognize that their security posture is only as strong as its weakest link (typically third parties connected to their network), making it absolutely vital that they manage third-party identities and access just as they would their own employees.”

In order for organizations to prevent becoming the next victim of a breach due to unauthorized third-party user access, as has happened in prominent recent breaches, a strong security posture built around privileged access management (PAM) and identity governance and administration (IGA) is critical.

According to One Identity’s “Third-party Access and Compromise” study, many companies struggle to implement some of the most basic PAM and IAM practices when managing third-party users, such as immediately deprovisioning users and ensuring rules for managing access (such as not sharing accounts and credentials) are being followed.