47% of organizations have experienced a data breach or cyberattack over the past 12 months that involved a third-party accessing their network, according to Imprivata and the Ponemon Institute.
Third-party security incidents persist
Notably, 64% of respondents say these types of third-party data breaches will either increase or remain at alarmingly high levels over the next 12-24 months, indicating the problem is here to stay.
The report surveyed nearly 2,000 IT security practitioners worldwide and found increased awareness of the security risks associated with third-party access, likely due to organizations being impacted first-hand by a security incident.
However, despite efforts to address third-party risk, it remains a challenge to do so based on inconsistent and immature security strategies. In fact, 48% of organizations agree that third-party remote access is becoming the most common attack surface.
Survey respondents were asked to approximate the cost to their organizations to restore access to third-party and privileged internal users, taking things like detecting, responding to, and recovering from a breach into consideration. While their responses were wide ranging, the average cost, per incident, was $88,000.
“Third-party access is necessary to conduct global business, but it is also one of the biggest security threats and organizations can no longer remain complacent,” said Joel Burleson-Davis, SVP of Worldwide Engineering, Cyber, at Imprivata. “While some progress has been made, organizations are still struggling to effectively implement the proper tools, resources, and elements of a strong third-party risk management strategy. Cybercriminals continue capitalizing on this weakness, using the lack of visibility and uncertainty across the third-party vendor ecosystem to their advantage.”
Businesses struggle with inconsistent resources
Of the organizations that experienced a data breach or cyberattack due to third-party access over the past 12 months, the biggest consequences suffered were the loss or theft of sensitive and confidential information (53%), regulatory fines (50%), and severed relationships with the affected third-party or vendor (49%).
Additionally, 34% say the attack involved the third-party having too much privileged access, down from 70% in 2022. This trend suggests that businesses are improving their ability to provide appropriate access levels to third parties, but there is still room to strengthen their overall security strategies within their organization.
As organizations try to respond to the third-party threat, they are struggling. 35% of respondents said they were unsure how the cyberattacks they suffered were perpetrated, a stark increase from just 2% in 2022. Organizations have limited visibility into how vendors are accessing their network, creating a massive blind spot.
In addition to lack of oversight, 41% of say insufficient resources or budget are a top barrier to reducing third-party risk. In fact, 44% believe managing third-party permissions can be overwhelming and a strain on their internal resources, with organizations spending an average of 134 hours per week across IT and security teams analyzing and investigating the security of third-party access.
Today, 58% believe their security strategy to address privileged access risks is inconsistent or non-existent, creating an immediate opportunity to address the issue head-on.
Organizations still have work to do when it comes to privileged access – especially for third parties. Access security, for both internal users and third parties, needs to be made more efficient, and effective.