Imprivata releases new global research with the Ponemon Institute which found that 47% of organizations have experienced a data breach or cyberattack over the past 12 months that involved a third-party accessing their network, representing similar levels from when the study was conducted two years ago. Notably, 64% of respondents say these types of third-party data breaches will either increase or remain at alarmingly high levels over the next 12-24 months, indicating the problem is here to stay.
Titled “The State of Third-Party Access in Cybersecurity,” the report surveyed nearly 2,000 IT security practitioners worldwide and found increased awareness of the security risks associated with third-party access, likely due to organizations being impacted first-hand by a security incident. However, despite efforts to address third-party risk, it remains a challenge to do so based on inconsistent and immature security strategies. In fact, nearly half (48%) of organizations agree that third-party remote access is becoming the most common attack surface.
“Third-party access is necessary to conduct global business, but it is also one of the biggest security threats and organizations can no longer remain complacent,” says Joel Burleson-Davis, senior vice president of Worldwide Engineering, Cyber, at Imprivata. “While some progress has been made, organizations are still struggling to effectively implement the proper tools, resources, and elements of a strong third-party risk management strategy. Cybercriminals continue capitalizing on this weakness, using the lack of visibility and uncertainty across the third-party vendor ecosystem to their advantage.”
Key Takeaways:
- Of the organizations that experienced a data breach or cyberattack due to third-party access over the past 12 months, the biggest consequences suffered were the loss or theft of sensitive and confidential information (53%), regulatory fines (50%) and severed relationships with the affected third-party or vendor (49%).
- Additionally, 34% say the attack involved the third-party having too much privileged access, down from 70% in 2022. This trend suggests that businesses are improving their ability to provide appropriate access levels to third parties, but there is still room to strengthen their overall security strategies within their organization.
- As organizations try to respond to the looming third-party threat, they are struggling. More than one-third (35%) of respondents said they were unsure how the cyberattacks they suffered were perpetrated, a stark increase from just 2% in 2022. Organizations have limited visibility into how vendors are accessing their network, creating a massive blind spot.
- In addition to lack of oversight, 41% of respondents say insufficient resources or budget are a top barrier to reducing third-party risk. In fact, 44% believe managing third-party permissions can be overwhelming and a strain on their internal resources, with organizations spending an average of 134 hours per week across IT and security teams analyzing and investigating the security of third-party access.
- Today, most (58%) respondents believe their security strategy to address privileged access risks is inconsistent or non-existent, creating an immediate opportunity to address the issue head-on.
