Third-party access management leaves organizations exposed
A survey of more than 1,000 IT security professionals exposes shortcomings in organizations' approach to managing third-party user identity and access that could leave them vulnerable to compromise.
The study by Dimensional Research for One Identity finds that while 94 percent of organizations grant third-party users access to their network, 61 percent admit they are unsure if those users attempted to or successfully accessed files or data they are not authorized to see.
Third-parties have privileged (administrative or superuser) access according to 72 percent, and only 22 percent say they know for certain their third-party users are not attempting to access or are successfully accessing unauthorized information. While 18 percent report third parties have attempted to or have successfully accessed unauthorized information.
Part of the problem is ineffective controls, only 21 percent of organizations immediately deprovision or revoke access for third-party users when the work they are doing for the company ceases. And 33 percent take more than 24 hours to deprovision third-party users or don't have a consistent deprovisioning process.
Only 15 percent are very confident that their third parties' follow access management rules, such as not sharing accounts and ensuring password strength, while 25 percent suspect third parties do not follow the rules or know for certain they don't. Even so 45 percent of respondents say they trust third-party users the same amount or more than their own employees to follow their organizations’ security policies.
Retail businesses are most at risk with 28 percent admitting that third-party users have successfully accessed or attempted to access files or data that they were not authorized to access. In other sectors, 20 percent of financial services organizations, 17 percent of technology organizations, and 14 percent of healthcare organizations have experienced the same.
"Third-party users are necessary in the day-to-day operations of most modern organizations; however, if third-party access is improperly managed, the security risk associated with these users is detrimental," says Darrell Long, vice president of product management at One Identity. "Organizations must recognize that their security posture is only as strong as its weakest link (typically third parties connected to their network), making it absolutely vital that they manage third-party identities and access just as they would their own employees'."
You can find out more on the One Identity site.