Remote access is becoming an organization's weakest attack surface, according to new research published today by the Ponemon Institute and third-party remote access provider SecureLink.
The new report, titled “A Crisis in Third-party Remote Access Security,” reveals a disparity between an organization's perceived third-party access security threat and the protective measures it puts in place.
Researchers found that organizations are exposing their networks to non-compliance and security risks by not taking action to reduce third-party access risk.
Nearly half (44%) of organizations were found to have experienced a security breach within the last 12 months. Of those organization, three-quarters (74%) said that the breach had occurred because too much privileged access had been given to third parties.
Researchers found that organizations are not doing the necessary security checks before sharing data access with third parties. Just over half (51%) of organizations said they had not been assessing the security and privacy practices of all third parties before granting them access to sensitive and confidential information.
“Providing remote access to third parties without implementing the appropriate security safeguards is almost guaranteeing a security incident and a data breach involving sensitive and confidential information,” said Dr. Larry Ponemon, chairman and founder of the Ponemon Institute.
“It is important that organizations assess the security and privacy practices of the third parties that have access to their networks and ensure that they have just enough access to perform their designated responsibilities and nothing more.”
Other key findings were that 54% of organizations do not have a comprehensive inventory of all third parties with access to their network, and 65% of organizations have not identified the third parties with access to their organization's most sensitive data.
“The findings in this report showcase the lack of security, management, and accountability that’s needed to adequately secure third-party remote access, which is very worrying,” commented Joe Devine, CEO of SecureLink.
"While recent high-profile breaches have done a good job of highlighting the serious risks of unsecure vendor relationships, there is still a lot of work to be done to shift organizations’ mindset when it comes to protecting not only their data, but their customer and partner data too.”