“The findings in this report showcase the lack of security, management, and accountability that’s needed to adequately secure third-party remote access, which is very worrying,” commented Joe Devine, CEO of SecureLink. “While recent high profile breaches have done a good job of highlighting the serious risks of unsecure vendor relationships, there is still a lot of work to be done to shift organizations’ mindset when it comes to protecting not only their data, but their customer and partner data too.”
While many businesses continue to outsource critical business processes to third-parties, over half of respondents (51%) say their organizations are not assessing the security and privacy practices of all third-parties before granting them access to sensitive and confidential information. The report highlighted that while many organizations view third-party remote access as a security threat, it is not a priority — even despite the increasing volume and sophistication of cyberattacks happening around them.
“Providing remote access to third parties without implementing the appropriate security safeguards is almost guaranteeing a security incident and a data breach involving sensitive and confidential information,” said Dr. Larry Ponemon, Chairman and Founder of Ponemon Institute. “It is important that organizations assess the security and privacy practices of the third parties that have access to their networks and ensure that they have just enough access to perform their designated responsibilities and nothing more.”
The report aims to emphasize the risk at each stage of the typical lifecycle organizations go through when engaging with a third party. Key findings include:
Source and select: Reliance on reputation is the most common reason that organizations are not evaluating the privacy and security practices of third-parties, according to 63% of respondents.
Intake and score: 61% of respondents say their third-party management program does not define or rank levels of risk. Defining and assessing risk provides insight into the levels of security needed to defend against a breach or hacking attempt.
Identity and access management: 54% of respondents say their organizations do not have a comprehensive inventory of all third-parties with access to their network and 65% of organizations have not identified the third-parties with access to the most sensitive data of the organization.
Secure connection: 63% say their organization doesn’t have visibility into the level of access and permissions for both internal and external users, leaving organizations in the dark as to who has access to their network, when they are in their network, and why they are in their network.
Monitor and assess: 54% of organizations are not monitoring the security and privacy practices of third-parties that they share sensitive or confidential information with on an ongoing basis.
Report and manage: 59% of respondents say there is no centralized control over third-parties, and 47% say it’s due to the complexity in third-party relationships.
“Organizations need to stop taking a fingers crossed approach to third-party security. The truth is, if you don’t have the right protocols and tools in place, a data breach is likely inevitable,” added Devine. “Define who is responsible in the business and start by prioritizing network transparency, enforcing least privileged or zero trust access, and constantly evaluating existing third-party security practices to ensure you meet the evolving threat.”
The study was conducted by Ponemon Institute on behalf of SecureLink and includes responses from 627 individuals who are involved in their organization’s approach to managing remote third-party data risks. Respondents are based in North America, spanning six industries, including financial services, health and pharma, public sector, services, and industrial and manufacturing.
To view the complete findings and download the "A Crisis in Third-party Remote Access Security" report: https://www.securelink.com/research-reports/a-crisis-in-third-party-remote-access-security. For more information on SecureLink: www.securelink.com