Why the Lack of Prioritization, Oversight, and Control of Third-Party Access Impacts Everyone Tori Taylor • September 13, 2022
The hard truth is that every industry is vulnerable to cyberattacks and every industry has its own set of vulnerabilities. For some it could be a lack of resources; industries like education and government agencies simply don’t have the funding to support a holistic and robust cybersecurity program. For others, it could be a matter of headcount. The hiring gap is a huge roadblock for IT teams, so much so that it was listed as one of the biggest barriers to companies achieving a strong cybersecurity posture.
But across all industries, 67% agree that the number of cybersecurity incidents and data breaches involving a third party is increasing — a bad omen considering that most organizations are taking a more digital approach to operations and workflows.
The data shows that every industry contains vulnerabilities and strengths, but there are a few standout points to consider.
Organizations can get a gauge on their cybersecurity posture by assessing how they’re handling their third parties and subsequently, third-party remote access.
In a cybersecurity framework, third parties are the transient and mysterious elements that aren’t easily managed. Their access is difficult to restrict because role-based access control, which is typically administered in IAM or IGA systems to employees, doesn’t apply to the third-party use case. Fine-grained access controls are also harder to apply on remote access methods such as VPNs and desktop sharing. Because of this, third parties are often given open and unmonitored access so they can get to the applications needed without distress. As a result, 70% of organizations say a data breach was caused by giving too much access to a third-party vendor.
Third-Party Security: Industry Breakdown
This year’s Ponemon Institute report revealed how industries are measuring up when it comes to the state of their third-party access security.
Has your organization experienced a data breach or cyberattack caused by a third party in the last 12 months?
- Education: 54%
- Industrial and manufacturing: 46%
- Financial: 58%
- Public sector: 50%
- Healthcare: 55%
My organization doesn’t have anyone assigned to manage third-party risk:
- Education: 42%
- Industrial and manufacturing: 52%
- Financial: 51%
- Public sector: 49%
- Healthcare: 46%
Does your organization have a comprehensive inventory of third parties with access to its network?
- Education: 44%
- Industrial and manufacturing: 39%
- Financial: 50%
- Public sector: 45%
- Healthcare: 52%
Are you implementing least privilege access to ensure third parties are meeting privacy and compliance regulations?
- Education: 26%
- Industrial and manufacturing: 25%
- Financial: 37%
- Public sector: 36%
- Healthcare: 38%
There’s an alarming story being told here. Across industries, there’s a lack of prioritization, oversight, and control of third-party access.
Considering the healthcare industry has over a million instances of access per day, it’s concerning that only 52% have inventories of their third-party access permissions. PHI is one of the most valuable items on the black market, and over the last two years, healthcare facilities have seen a record number of cyberattacks and data breaches. This lack of oversight and amount of access from external and internal parties puts healthcare in a pretty vulnerable spot.
The manufacturing sector has also been highly targeted, over the last two years especially. Prominent attacks like Colonial Pipeline and Toyota highlight the risks associated with critical infrastructure and how implementing new industrial technology with legacy systems can actually create gaps in security. But surprisingly, less than half of industrial organizations changed their third-party management practices after experiencing a cyberattack. And since only 39% prioritize third-party security, we expect the number of attacks to increase unless adjustments — like implementing least privilege access — are made.
Every Industry Is At Risk Of A Cyberattack
The data shows that every industry contains vulnerabilities and strengths, but there are a few standout points to consider. Least privilege access is a proven and effective method to control access and thwart cyber threats, yet it continues to be put on the back burner for organizations in every industry. Third-party access is still deprioritized, which explains why across industries, the number of organizations that experienced a cyberattack due to a third party increased by 5% year over year. And those organizations with the most at risk, namely healthcare and manufacturing, continue to be some of the most vulnerable due to the lack of security around third-party access.
The numbers are startling, but there is hope that this revelation will incentivize businesses to do something about their third-party security. Locking down third-party access is vital to establishing strong security practices. Prioritizing third-party risk management and controlling all user access can lead businesses across industries to higher levels of security.