Many organisations across the globe fall short of effectively managing access for third-party users, exposing them to significant vulnerabilities, breaches and other security risks, according to a new study commissioned by One Identity.
Based on a Dimensional Research-conducted survey of more than 1,000 IT security professionals, the research evaluates organisations’ approaches to identity and access management (IAM) and privileged access management (PAM). It includes how they apply to third-party users – from vendors and partners, to contractors and seasonal workers.
Among the survey’s most noteworthy findings for Singapore are that while 92% of organisations grant third-party users access to their network, 60% admit they are unsure if those users attempted to or successfully accessed files or data they are not authorised to access, hinting towards a huge security lapse.
According to Gartner, the majority of organisations today rely on an increasing number of third-parties for business services compared to three years ago. With an expanding group of users gaining access to an organisation’s network comes an expanding cybersecurity risk surface. It is critical that businesses take proper steps to manage and govern third-party users and their access in the same way that they manage and govern internal users. However, One Identity’s survey reveals that many organisations are not implementing strong user governance and access practices, leaving them vulnerable to cyber compromise.
Access is ubiquitous
The study reveals that 94% of respondents say that third parties have access to their network while 74% give third-parties privileged (administrative or superuser) access. Only 21% know for certain their third-party users are not attempting to access or are successfully accessing unauthorised information.
Meanwhile, 13% report third parties have attempted to or successfully accessed unauthorised information; more than three in five (66%) don’t know for certain if this has happened.
Ineffective practices are widespread
Only 22% of organisations immediately deprovision (or revoke access for) third-party users when the work they do for the company ceases.
One-third (32%) of organisations take more than 24 hours to deprovision third-party users or do not have a consistent deprovisioning process.
Trusting too much
Only 13% are very confident that their third parties’ follow access management rules, such as not sharing accounts and ensuring password strength.One in five (19%) suspect third parties do not follow the rules or know for certain they do not.
However, 38% of respondents trust third-party users the same amount or more than they do their own employees to follow their organisations’ security policies.
Retail is the most at-risk industry
Nearly three in ten (27%) retail organisations admit third-party users have successfully accessed or attempted to access files or data that they were not authorised to access.
One in five (20%) of financial services organisations, 17% of technology organisations, and 14% of healthcare organisations have experienced the same.
One in four (25%) respondents from retail organisations say they give all or most of their third-party users privileged access. By comparison, the same holds true for 18% of technology organisations, just 10% of healthcare organisations and only 10% of manufacturing organisations.
“Third-party users are necessary in the day-to-day operations of most modern organisations; however, if third-party access is improperly managed, the security risk associated with these users is detrimental,” said Darrell Long, Vice President of Product Management, One Identity. “Organisations must recognise that their security posture is only as strong as its weakest link (typically third parties connected to their network), making it absolutely vital that they manage third-party identities and access just as they would their own employees’.”
“The results of our 2019 survey indicate third-party attacks are disruptive to organisations, with all respondents in Singapore reporting some sort of impact to their organisation due to unauthorised access to sensitive information. While organisations in Singapore have taken steps to mitigate the risk of third-party data breaches, there are still an alarming number who overlooked the possibility of these users acting as conduits for potential breaches. The leak of over 1.26 million individuals' personal information on a logistic platform in Singapore shows that having the right identity-centric strategy to secure privileged credentials needs to be a priority for organisations to prevent sensitive information from falling into the wrong hands,” said Serkan Cetin, Technical Director, APJ, One Identity.
In order for organisations to prevent becoming the next victim of a breach due to unauthorised third-party user access, as has happened in prominent recent breaches, a strong security posture built around privileged access management (PAM) and identity governance and administration (IGA) is critical. According to One Identity’s “Third-party Access and Compromise” study, many companies struggle to implement some of the most basic PAM and IAM practices when managing third-party users, such as immediately deprovisioning users and ensuring rules for managing access (such as not sharing accounts and credentials) are being followed.