As evidenced by recent breaches at Debenhams and NHS Wales, third-party access is a growing security threat facing organizations and enterprise IT systems. Yet despite rising awareness of the danger, on average, a company will grant network access to as many as 181 vendors in any single week, more than double the number from 2016.
According to Bomgar’s 2017 Secure Access Threat Report, 81% of companies have seen an increase in dealings with third parties (defined as external vendors or suppliers granted access to business systems, including outsourcers) in the last two years, compared to 75% the previous year.
Nonetheless, processes to control and manage privileged access for vendors remains lax, as evidenced by only 34% of respondents being totally confident that they can track vendor log-ins, and not many more (37%) confident that they can track the number of vendors accessing their internal systems.
These results are ironic at best, given that 66% of security professionals admit that they trust third-party vendors too much. And with good reason: More than two-thirds (67%) of respondents said that they have already experienced a data breach that was ‘definitely’ (35%) or ‘possibly’ (34%) linked to a third-party vendor.
“Third-party privileged access presents a multitude of risks to network security. Security professionals must balance the business needs of those accessing their systems—whether insiders or third-parties— with security,” said Matt Dircks, Bomgar CEO. “As the vendor ecosystem grows, the function of managing privileged access for vendors will need to be better managed through technology and processes that provide visibility into who is accessing company networks, and when, without slowing down business processes.”
The report also discusses insiders (classified as employees or people acting as an employee for the business, including freelancers or on-premises contractors)—and found that most employees are still all too often given needlessly privileged access permissions to tap even the most valuable systems and data inside a company.
The report revealed that 90% of security professionals trust employees with privileged access most of the time (though only 41% trust these insiders completely). At the same time, as with third parties, security professionals are aware of the numerous risks that these individuals pose to the business.
While most were not primarily worried about breaches of malicious intent, they were concerned that a breach was possible due to employees unintentionally mishandling sensitive data, or that an employee’s administrative access or privileged credentials could easily be phished by cyber-criminals.
As with vendors, businesses are nonetheless still falling behind in tackling the issue, with only 37% of respondents having complete visibility into which employees have privileged access, and 33% believing former employees could still have corporate network access.
“It only takes one employee to leave an organization vulnerable,” said Dircks. “With the continuation of high-profile data breaches, many of which were caused by compromised privileged access and credentials, it’s crucial that organizations control, manage, and monitor privileged access to their networks to mitigate that risk. The findings of this report tell us that many companies can’t adequately manage the risk related to privileged access. Insider breaches, whether malicious or unintentional, have the potential to go undetected for weeks, months, or even years—causing devastating damage to a company.”