Most organizations are not taking the necessary steps to manage and monitor the lifecycle of their third-party identities, making them more vulnerable to cyber incidents, a SecZetta survey found. Organizations need stronger third-party identity management strategies and solutions to strengthen cybersecurity programs and better manage identity lifecycles, including third-party and non-human workers.
Key findings of “Securing the Identity Perimeter with Defense” include:
- The research found that 78% of organizations report it’s likely or extremely likely they have multiple identity records for a single third-party individual or organization. As a result, organizations may rely on inaccurate, outdated, or conflicting data, with third-party workers associated with projects they are no longer working on and to which they no longer have legitimate access needs. Multiple active identities jeopardize an organization’s compliance posture and increase susceptibility to security breaches.
- Most organizations are concerned about over-permissioned and under-used identities, with 73% being highly or moderately concerned with third-party individuals, service accounts or administrators that have unnecessarily high, static, or standing permissions and authorization levels. This concern is justified given that these permission-and entitlement-related threats are known to be leveraged in actual attacks and breaches.
- When it comes to processes that mitigate third party individual and vendor risks, just over half (53%) of organizations are identity proofing and verifying third-party individuals and organizations before granting them access to company assets, reinforcing the need for organizations to invest in third-party identity risk solutions that provide a single identity authority before granting access.
- 55% of respondents fail to deactivate third-party workers who no longer qualify to perform duties. Access to data and systems for this high-risk population often extends beyond project assignments or contract employment with an organization. The implications of this finding are huge since most breaches are found to be the result of compromised credentials. In many ways this equates to “leaving the doors and windows unlocked.”
- Over 92% of organizations believe it is critical or very important to risk score third-party individuals, and 89% believe the same for third-party organizations, relying upon traditional HR processes like background screening designed to onboard new employees. These tools are ineffective at managing their growing number of third-party non-employees, including non-human worker identities such as bots, RPAs and IoT devices, which often can outnumber an organization’s full-time employee base.
- Only 20% of organizations plan to increase spending in the area of third parties, reinforcing the disconnect between the recognized need for improvements in their third-party identity management programs and actions to mitigate risk and reduce exposure to cyberattacks and breaches.
The complexities of identity management require increased investment in the right tools and services, like third-party identity lifecycle management, to improve the operational efficiencies and reduce the cost and risk of managing the dynamic, higher-risk relationships with third-party individuals and organizations.