A survey of 1,942 IT and IT security practitioners finds nearly half (47%) work for organizations that have experienced a data breach or cyberattack in the past 12 months that involved a third-party that has access to their network.
Conducted by the Ponemon Institute on behalf of Imprivata, a provider of a platform for managing digital identities, the survey also finds nearly half (48%) of respondents reporting third-party remote access has been the most common attack vector.
More troubling still, nearly two-thirds expect data breaches involving third parties will increase or remain the same for the next 12 to 24 months.
Joel Burleson-Davis, senior vice president of worldwide engineering for cyber at Imprivata, said that while there is a lot of awareness of the risks that third-party service providers represent, the amount of effort required to verify that each of the connections is secure is significant. As a result, many organizations find they are implicitly trusting third parties without verifying the level of security being attained and maintained, he added. The survey, for example, finds more than a third (34%) of organizations impacted by a cyberattack involving a third-party had granted too much privileged access. Well over half (58%) said they believe their security strategy to address privileged access risks is inconsistent or non-existent.
A total of 41% of respondents also noted that insufficient resources or budget are a top barrier to reducing third-party risk. In fact, 44% said managing third-party permissions can be overwhelming and a strain on their internal resources, with organizations spending an average of 134 hours per week across IT and security teams analyzing and investigating the level of security being applied to third-party access.
Even when policies are put in place, however, there inevitably will be a significant amount of drift that results in breaches that should have been prevented, noted Burleson-Davis. Organizations need to continuously monitor who is accessing what application and systems to ensure cybersecurity mandates are being followed, he added.
Overall, the survey finds that among organizations that experienced a data breach or cyberattack due to third-party access over the past 12 months, the biggest consequences were the loss or theft of sensitive and confidential information (53%), regulatory fines (50%), and severed relationships with the affected third-party or vendor (49%).
The sad truth is there are still a lot of organizations that have no idea how they might have been compromised. The survey, for example, notes that more than one-third (35%) of respondents said they were unsure how the cyberattacks they suffered were perpetrated.
It’s not feasible for most organizations to simply eliminate all remote access to applications and systems. There needs to be a review of who has access to what applications and systems for what purposes, with the appropriate security controls then applied. The challenge is that remote access privileges are often granted by internal IT teams at the behest of a business unit without anyone considering the cybersecurity implications. Cybersecurity teams need to find a way to continuously audit who has been granted remote access, said Burleson-Davis.
There may come a day when artificial intelligence (AI) makes it more practical to conduct audits in near real time. However, in the meantime, if remote access is one of the primary root causes of cybersecurity breaches, it behooves most organizations to rethink how those privileges are being granted.
