The purpose of this research is to understand organizations’ approach to managing third-party remote access risk and to provide guidance, based on the findings, on how to prepare for the future. A significant problem that needs to be addressed is third parties accessing an organization’s networks and, as a result, exposing it to security and non-compliance risks.
Sponsored by SecureLink, Ponemon Institute surveyed 627 individuals who have some level of involvement in their organization’s approach to managing remote third-party data risks. They were also instructed to focus their responses on only those outsourcing relationships that require the sharing of sensitive or confidential information and involve processes or activities that require providing access to such information.
Organizations are having data breaches caused by giving too much privileged access to third parties. Only 36 percent of respondents are confident that third parties would notify their organization if they had a data breach involving their sensitive and confidential information. More than half (51 percent) of respondents say their organizations have experienced a data breach caused by a third party that resulted in the misuse of its sensitive or confidential information either directly or indirectly. There could possibly be more data breaches because of respondents’ lack of confidence that they would be contacted by their third parties, as discussed above.
In the past 12 months, 44 percent of respondents say their organizations experienced a data breach caused by a third party either directly or indirectly. Of these respondents, 74 percent of respondents say it was the result of giving too much privileged access to third parties.
The following findings reveal the risks created by third-party remote access
Organizations are at risk for non-compliance with regulations because third parties are not aware of their industry’s data breach reporting regulations. On average, less than half of respondents (48 percent) say their third parties are aware of their industry’s data breach reporting regulations. Only 44 percent of respondents rate the effectiveness of their third parties in achieving compliance with security and privacy regulations that affect their organization as very high.
Managing remote access to the network is overwhelming. Seventy-three percent of respondents say managing third-party permissions and remote access to their networks is overwhelming and a drain on their internal resources. As a consequence, 63 percent of respondents say remote access is becoming their organization’s weakest attack surface.
It is understandable why 69 percent of respondents say cybersecurity incidents and data breaches involving third parties is increasing because only 40 percent of respondents say their organizations are able to provide third parties with just enough access to perform their designated responsibilities and nothing more. Further, only 37 percent of respondents say their organizations have visibility into the level of access and permissions for both internal and external users.
Many organizations do not know all the third parties with access to their networks. Only 46 percent of respondents say their organizations have a comprehensive inventory of all third parties with access to its network. The average number of third parties in this inventory is 2,368.
Fifty-four percent of respondents say they don’t have an inventory (50 percent) or are unsure (4 percent). Respondents say it is because there is no centralized control over third parties (59 percent) and 47 percent of respondents say it is because of the complexity in third party relationships.
Organizations are not taking the necessary steps to reduce third-party remote access risk. Instead of taking steps to stop third-party data breaches and cybersecurity attacks, organizations are mostly focused on collecting relevant and up-to-date contact information for each vendor.
Very few are collecting and documenting information about third-party network access (39 percent of respondents), confirmation security practices are in place (36 percent of respondents), identification of third parties that have the most sensitive data (35 percent of respondents), confirmation that basic security protocols are in place (32 percent of respondents) and past and/or current known vulnerabilities in hardware or software.
Most organizations are not evaluating the security and privacy practices of all third parties before they are engaged. Less than half of respondents (49 percent) say their organizations are assessing the security and privacy practices of all third parties before allowing them to have access to sensitive and confidential information.
Of these respondents, 59 percent of respondents say their organizations rely on signed contracts that legally obligates the third party to adhere to security and privacy practices. Fifty-one percent of respondents say they obtain evidence of security certifications such as ISO 2700/27002 or SOC. Only 39 percent of respondents say their organizations conduct an assessment of the third party’s security and privacy practices.
Reliance on reputation is why the majority of organizations are not evaluating the privacy and security practices of third parties. Fifty-one percent of respondents say their organizations are not evaluating third-parties privacy and security practices and the main reason is reliance on their reputation (63 percent of respondents) and data protection regulations (60 percent of respondents). However, as discussed previously, only 48 percent of respondents say their organizations are aware of their industry’s data breach reporting regulations. Less than half of respondents (48 percent) have confidence in the third party’s ability to secure information.
Organizations are in the dark about the third-party risk because most are not required to complete security questionnaires. An average of only 35 percent of third parties are required to fill out security questionnaires and only an average of 26 percent is required to conduct remote on-site assessments.
If organizations monitor third-party security and privacy practices, they mostly rely upon legal or procurement review. Only 46 percent of respondents say their organizations are monitoring the security and privacy practices of third parties that they share sensitive or confidential information with on an ongoing basis. Fifty percent of respondents say the law or procurement functions conduct the monitoring. Only 41 percent of respondents say they use automated monitoring tools.
Again, reliance on contracts is why 54 percent of respondents say their organizations are not monitoring the third parties’ security and privacy practices. Sixty-one percent of respondents say their organizations do not feel the need to monitor because of contracts and another 61 percent of respondents say they rely upon the business reputation of the third party.
Third-party risk in most organizations is not defined or ranked in most organizations. Only 39 percent of respondents say their third-party management program defines and ranks level of risk. The top three indicators of risk are poorly written security and privacy policies and procedures, lack of screening or background checks for third-party key personnel and history of frequent data breach incidents.
Organizations are ineffective in preventing third parties from sharing credentials in the form of usernames and passwords. Respondents were asked to rate their organizations effectiveness in knowing all third-party concurrent users, controlling third-party access to their networks and preventing third parties from sharing credentials in the form of usernames and/or passwords on a scale from 1 = not effective to 10 = highly effective. Only 41 percent of respondents say their organizations are very effective in controlling third-party access to their networks and preventing third parties from sharing credentials in the form of usernames and passwords.