In a major indication of why organisations remain vulnerable to data leaks and theft, a global survey has found that 94% of organisations are giving third-party users access to their network and 72% of them are granting third parties privileged permissions to access sensitive data.
The survey of over 1,000 IT security professionals commissioned by One Identity found that while there are very few organisations that refuse to grant network access to third parties, what is more worrying as far as cyber security is concerned is that 61% of organisations that grant such access are unsure if third parties attempted to or successfully accessed files or data they are not authorised to access.
The fact that a majority of organisations are unable to monitor the activities of third parties after granting them access to their networks indicates that organisations are a long way away from putting in place stringent privileged access management policies or partitioning sensitive data from data that can be shared with third parties.
Third parties being granted unrestricted and unmonitored access to sensitive data
While it is true that today's large organisations are heavily reliant on third-party vendors and suppliers, this does not justify the uncontrolled and uninhibited sharing of sensitive data with third parties who have no legitimate basis to access or process such data. However, the fact is that 72% of organisations worldwide are now allowing third parties to enjoy administrative access to their networks.
Responding to One Identity's survey, only 22% of IT security professionals said they knew for sure their third-party users were not attempting to access or were successfully accessing unauthorised information, and 18% said that third parties attempted to or successfully accessed unauthorised information.
"Third party users are necessary in the day-to-day operations of most modern organisations; however, if third-party access is improperly managed, the security risk associated with these users is detrimental," said Darrell Long, vice president of Product Management, One Identity.
"Organisations must recognize that their security posture is only as strong as its weakest link (typically third parties connected to their network), making it absolutely vital that they manage third party identities and access just as they would their own employees," he added.
Many security professionals are not sure if third parties accessed or shared sensitive data without authorisation
The survey also revealed that while only 21% of companies immediately revoke access for third parties when their work for the company ceases, 33% of them either take more than 24 hours to revoke third party access or do not have a consistent deprovisioning process at all.
What's more, only 15% of IT security professionals are confident that third parties who accessed their companies' networks followed access management rules, such as not sharing accounts and ensuring password strength and 25% either suspect or are certain that third parties are not following access management rules.
"In order for organisations to prevent becoming the next victim of a breach due to unauthorized third party user access, as has happened in prominent recent breaches, a strong security posture built around privileged access management (PAM) and identity governance and administration (IGA) is critical.
"Many companies struggle to implement some of the most basic PAM and IAM practices when managing third-party users, such as immediately deprovisioning users and ensuring rules for managing access (such as not sharing accounts and credentials) are being followed," the firm noted.