Do third-party users follow security best practices and policies?

Many organizations across the globe fall short of effectively managing access for third-party users, exposing them to significant vulnerabilities, breaches and other security risks, One Identity reveals.

Most organizations grant third-party users access to their network

Based on a Dimensional Research-conducted survey of more than 1,000 IT security professionals, the research evaluates organizations’ approaches to identity and access management (IAM) and privileged access management (PAM), including how they apply to third-party users – from vendors and partners, to contractors and seasonal workers.

Among the survey’s most noteworthy findings are that while 94% of organizations grant third-party users access to their network, 61% admit they are unsure if those users attempted to or successfully accessed files or data they are not authorized to access.

Relying on third-parties

According to Gartner, the majority of organizations today rely on an increasing number of third-parties for business services compared to three years ago.

With an expanding group of users gaining access to an organization’s network comes an expanding cybersecurity risk surface, and it is critical that businesses take the proper steps to manage and govern third-party users and their access in the same way they manage and govern internal users.

However, the survey reveals that many organizations are not implementing strong user governance and access practices, leaving them vulnerable to cyber compromise.

“The reality is that most companies’ security and compliance programs fail to gain the altitude necessary to see over the horizon and gain a line of sight that exposes the activities of their vendors and partners. In a recent report by eSentire on supply chain risk, nearly half (44 percent) of firms had experienced a significant, business altering data breach caused by a vendor. What’s worse, only 15 percent of firms reported that their vendor notified them when a breach occurred. Human error and stolen passwords accounted for 26 percent of the breaches, while malware played a key role in half of the attacks. Of the nearly 250 companies that experienced a breach, 32 percent affected personal identifiable data, 29 percent included payment information, and 24 percent exposed proprietary business data,” said Mark Sangster, VP and Industry Security Strategist, eSentire.

Third-party user access to the corporate network is ubiquitous

• Ninety-four percent of respondents say that third parties access their network; 72% give third-parties privileged (administrative or superuser) access.
• Only 22% know for certain their third-party users are not attempting to access or are successfully accessing unauthorized information.
• Nearly one in five (18%) report third parties have attempted to or successfully accessed unauthorized information; more than three in five (61%) don’t know for certain if this has happened.

Ineffective third-party user lifecycle management practices are widespread

• Only 21% of organizations immediately deprovision (or revoke access for) third-party users when the work they do for the company ceases.
• One-third (33%) of organizations take more than 24 hours to deprovision third-party users or do not have a consistent deprovisioning process.

Organizations lack confidence in third party users

• Only 15% are very confident that their third parties’ follow access management rules, such as not sharing accounts and ensuring password strength.
• One in four (25%) suspect third parties do not follow the rules or know for certain they do not.
• However, 45% of respondents trust third-party users the same amount or more than they do their own employees to follow their organizations’ security policies.

Most at-risk industries

• Nearly three in 10 (28%) retail organizations admit third-party users have successfully accessed or attempted to access files or data that they were not authorized to access.
• One in five (20%) of financial services organizations, 17% of technology organizations, and 14% of healthcare organizations have experienced the same.
• One in four (25%) respondents from retail organizations say they give all or most of their third-party users privileged access. By comparison, the same holds true for 18% of technology organizations, just 10% of healthcare organizations and only 10% of manufacturing organizations.

“Companies are on the hook for their vendor’s performance and activities. Tight contractual controls can help, but in the event of a public security incident, it’s the public-facing company in the supply chain that ends up suffering the consequences. Looking at the Dimensional Research on third party risk, the most worrisome implication for me is the notion of answers like ‘probably not, but we can’t be sure’ or ‘I don’t know.’ I am world where privacy laws, compliance rules and security accountability are merging to form a Venn diagram with unprecedented overlap, and there is no room for wishy-washy responses. It’s a binary world—yes or no. You either have control of your vendors, or you are at their mercy,” Sangster concluded.

In order for organizations to prevent becoming the next victim of a breach due to unauthorized third-party user access, as has happened in prominent recent breaches, a strong security posture built around privileged access management (PAM) and identity governance and administration (IGA) is critical.

Many companies struggle to implement some of the most basic PAM and IAM practices when managing third-party users, such as immediately deprovisioning users and ensuring rules for managing access (such as not sharing accounts and credentials) are being followed.