One Identity has released new global research revealing that many organisations across the globe fall short of effectively managing access for third-party users, exposing them to significant vulnerabilities, breaches and other security risks. The study of more than 1,000 IT security professionals by Dimensional Research found that of the 94% that give third-party users access to their network, a whopping 61% are unsure if those users are attempting to access unauthorised data.
Furthermore, only one in five deprovision third-party users immediately when they no longer require access to the network, and one-third of companies take longer than 24 hours to revoke access on inactive accounts. This could leave a gaping hole for cybercriminals or malicious insiders to exploit if credentials fall into the wrong hands.
“Third party users are necessary in the day-to-day operations of most modern organisations; however, if third-party access is improperly managed, the security risk associated with these users is detrimental,” said Darrell Long, vice president of Product Management, One Identity. “Organisations must recognise that their security posture is only as strong as its weakest link (typically third parties connected to their network), making it absolutely vital that they manage third party identities and access just as they would their own employees’.”
The company says that in order for organisations to prevent becoming the next victim of a breach due to unauthorised third party user access, as has happened in prominent recent breaches, a strong security posture built around privileged access management (PAM) and identity governance and administration (IGA) is critical. According to One Identity’s “Third Party Access and Compromise” study, many companies struggle to implement some of the most basic PAM and IAM practices when managing third-party users, such as immediately deprovisioning users and ensuring rules for managing access (such as not sharing accounts and credentials) are being followed.