Significant gaps in third-party user access management practices are exposing organizations to cyber security risks
- Published: Thursday, 28 November 2019 09:15
One Identity has released new global research revealing that many organizations fall short of effectively managing access for third-party users, exposing them to significant vulnerabilities, breaches and other security risks.
Based on a Dimensional Research-conducted survey of more than 1,000 IT security professionals, the research evaluates organizations’ approaches to identity and access management (IAM) and privileged access management (PAM), including how they apply to third-party users – from vendors and partners, to contractors and seasonal workers.
Among the survey’s most noteworthy findings are that while 94 percent of organizations grant third-party users access to their network, 61 percent admit they are unsure if those users attempted to or successfully accessed files or data they are not authorised to access.
One Identity’s survey reveals that many organizations are not implementing strong user governance and access practices, leaving them vulnerable to cyber compromise.
Additional key findings from the report include:
Third-party user access to the corporate network is ubiquitous, but what information those users access is worryingly unclear at many organizations:
- 94 percent of respondents say that third parties access their network; 72 percent give third-parties privileged (administrative or superuser) access.
- Only 22 percent know for certain their third-party users are not attempting to access or are successfully accessing unauthorised information.
- Nearly one in five (18 percent) report third parties have attempted to or successfully accessed unauthorised information; more than three in five (61 percent) don’t know for certain if this has happened.
Ineffective third-party user lifecycle management practices are widespread, which puts organizations at increased risk.
- Only 21 percent of organizations immediately deprovision (or revoke access for) third-party users when the work they do for the company ceases.
- One-third (33 percent) of organizations take more than 24 hours to deprovision third-party users or do not have a consistent deprovisioning process.
Organizations predominantly lack confidence that third party users follow security best practices and policies — and probably trust them too much:
- Only 15 percent are very confident that their third parties’ follow access management rules, such as not sharing accounts and ensuring password strength.
- One in four (25 percent) suspect third parties do not follow the rules or know for certain they do not.
- However, 45 percent of respondents trust third-party users the same amount or more than they do their own employees to follow their organizations’ security policies.
Retail is the most at-risk industry when it comes to third party access:
- Nearly three in ten (28 percent) retail organizations admit third-party users have successfully accessed or attempted to access files or data that they were not authorised to access.
- One in five (20 percent) of financial services organizations, 17 percent of technology organizations, and 14 percent of healthcare organizations have experienced the same.
- One in four (25 percent) respondents from retail organizations say they give all or most of their third-party users privileged access. By comparison, the same holds true for 18 percent of technology organizations, just 10 percent of healthcare organizations and only 10 percent of manufacturing organizations.