Nearly half of organizations suffer third-party security incidents

New research finds that 47 percent of organizations have experienced a data breach or cyberattack over the past 12 months that involved a third-party accessing their network.

The study, carried out by the Ponemon Institute for Imprivata, also shows 64 percent of respondents believe these types of third-party data breaches will either increase or remain at alarmingly high levels over the next 12-24 months.

"Third-party access is necessary to conduct global business, but it is also one of the biggest security threats and organizations can no longer remain complacent," says Joel Burleson-Davis, senior vice president of worldwide engineering, cyber, at Imprivata. "While some progress has been made, organizations are still struggling to effectively implement the proper tools, resources, and elements of a strong third-party risk management strategy. Cybercriminals continue capitalizing on this weakness, using the lack of visibility and uncertainty across the third-party vendor ecosystem to their advantage."

Among the organizations that experienced a data breach or cyberattack due to third-party access over the past 12 months, the biggest consequences suffered were the loss or theft of sensitive and confidential information (53 percent), regulatory fines (50 percent), and severed relationships with the affected third-party or vendor (49 percent).

In addition, 34 percent say the attack involved the third-party having too much privileged access, though this is down from 70 percent in 2022 suggesting some tightening of security practices. However, a worrying 35 percent of respondents say they're unsure how the cyberattacks they suffered were perpetrated, a steep increase from just two percent in 2022.

As well as lack of oversight, 41 percent of respondents say insufficient resources or budget are a top barrier to reducing third-party risk. 44 percent believe managing third-party permissions can be overwhelming and a strain on their internal resources, with organizations spending an average of 134 hours per week across IT and security teams analyzing and investigating the security of third-party access.

Burleson-Davis adds, "Third-party attacks won't stop, and no industry is immune to the issue. Automation, purpose-built capabilities and analytics can help IT teams gain greater visibility without extra burden, putting an end to the ongoing guessing game around third-party privileges."

The full report is available on the Imprivata site.

Image credit: Rawpixel/depositphotos.com