Third-party contractors and related entities with remote, privileged access to organisational IT systems are increasingly the cause of data breaches, according to a newly published report produced by SecureLink and the Ponemon Institute. It highlights an “alarming” disconnect between how organisations perceive threat from third-party access, and the security measures they deploy.
The report, A crisis in third-party remote access security, demonstrates that many organisations are failing to take the right precautions to cut back on third-party remote access risk and are therefore exposing their systems to data breaches, and putting themselves at risk of penalty under various data protection standards, such as the General Data Protection Regulation (GDPR).
All told, 44% of organisations had suffered a third-party breach in the past 12 months, and 74% of those said the incident came about because they gave up too much privileged access.
“The findings in this report showcase the lack of security, management and accountability that is needed to adequately secure third-party remote access, which is very worrying,” said SecureLink CEO Joe Devine.
“While recent high-profile breaches have done a good job of highlighting the serious risks of unsecure vendor relationships, there is still a lot of work to be done to shift organisations’ mindset when it comes to protecting not only their data, but their customer and partner data too,” he said.
SecureLink said more than half of companies that outsource critical business processes say their organisations are not assessing the security and privacy practices of all third parties before granting them access to sensitive and confidential data.
The firm added that although it appears organisations do view third-party remote access as a source of cyber threat, few are prioritising it, with 63% saying they did not evaluate their third-party partners’ security and privacy practices because they were relying on the partner’s reputation.
According to Larry Ponemon, chairman and founder of the Ponemon Institute, this effectively guarantees a data breach.
“It is important that organisations assess the security and privacy practices of the third parties that have access to their networks and ensure they have just enough access to perform their designated responsibilities and nothing more,” said Ponemon.
The report also found that 54% of organisations do not have a comprehensive inventory of all third parties with access to their network, and 65% did not know which had access to their most sensitive data. Also, 63% admitted their organisation did not have visibility into the level of access and permissions for internal and external users alike, leaving security teams in the dark as to who has network access, when they are on the network, and why they are there.
Some 54% of respondents also said they were not monitoring the security and privacy practices of their service providers, and 59% said they had not centralised control over third parties, mostly because of complexity in their various relationships.
“Organisations need to stop taking a fingers-crossed approach to third-party security,” said Devine. “The truth is, if you don’t have the right protocols and tools in place, a data breach is likely inevitable.
“Define who is responsible in the business and start by prioritising network transparency, enforcing least-privilege or zero-trust access, and constantly evaluating existing third-party security practices to ensure you meet the evolving threat.”
