In the already oft-neglected realm of privileged access management, one type of permissions is even more forgotten: third-party privileges.
Enterprises of every size and every industry are partnering with third-party vendors to fulfill the functions and roles they either do not have the personnel or the resources to do themselves. According to one study, 71% of enterprises are looking to increase their usage of third-party vendors by 20% or more. Yet the security risks in creating third-party privileges are evident:
- According to a separate analysis, 23% of businesses fail to monitor their remote vendor or third-party activity.
- According to another survey, 66% of enterprises said they suffered a data breach due to third-party privileges.
- A third expert report found that 56% of companies experienced a third-party privileges data breach
To make sense of the issue, we turned to Texas-based privileged identity and access management solution provider Identity Automation. In their report “How to Minimize the Identity and Access Risks Associated with Third-Party Relationships,” their researchers found that 63% of enterprise breaches are the result of third-party privileges. Additionally, 94.3% of enterprises weren’t confident in their tools for managing third-party privileges.
Why Do Third-Party Privileges Get Abused?
Identity Automation’s findings confirm much of our own research on the perils inherent in third-party privileges:
- 40% of enterprises never bother to look for all of the privileged accounts on their network.
- 63% don’t have security alerts in place for failed privileged access account login attempts.
- Only 34% can identify specific threats stemming from their privileged access users.
- Only 35% of enterprises have total visibility into the privileged accounts in their IT environment.
This is important to remember because, as Identity Automation reminds us, third-party privileges can create a weak link in your network if it isn’t paired with increased network visibility. By creating third-party privileges you tie your security with the external vendors—and if they are weak, so are you.
Identity Automation points out that some of the biggest brands in the world—Target, Home Depot, Wendy’s, and Anthem—all suffered breaches due to third-party privileges being stolen or abused. They further found that the average third-party data breach costs an enterprise $7.35 million. So stopping these breaches before they happen should be a top priority.
Monitoring Third-Party Privileges
Identity Automation provides several detailed suggestions on how to secure your third-party access, including:
- Have a proper view of where your most sensitive data and who has access to it (aka monitoring).
- Assess the security of your vendors.
But above all, Identity Automation points out that legacy IAM and privileged access management solutions just don’t have the capacity to monitor modern privileged accounts, let alone third-party access. If your enterprise is looking to expand its third-party vendor network as part of its scalability efforts, it may also be time to update your privileged access management solution and your third-party privileges monitoring.
If you’re interested in learning more about securing your third-party privileges, you should download the Identity Automation “How to Minimize the Identity and Access Risks Associated with Third-Party Relationships” available for free here.
Latest posts by Ben Canner (see all)
- Key Findings: The Gartner 2019 Critical Capabilities for Identity Governance and Administration - November 13, 2019
- 60 Percent of Enterprises Misunderstand Cloud Security Responsibility Sharing - November 12, 2019
- 5 Identity Management Insight Videos for 2019 (and 2020) - November 11, 2019