Creating a Cybersecurity Infrastructure to Reduce Third-Party and Privileged Internal Access Risks: A Global Study

Leave a reply

Organizations’ sensitive and confidential data continue to be vulnerable to risks created by third parties and internal privileged users. A key takeaway from this new research is that too much privileged access and the difficulty in managing permissions are barriers to reducing these risks.

The purpose of this research, sponsored by Imprivata, is to learn important information about how well organizations are managing third-party remote access risks as well as risks posed by internal users with privileged access.

Ponemon Institute surveyed 1,942 IT and IT security practitioners in the US (733), UK (398), Germany (573) and Australia (238) who are familiar with their organizations’ approach to managing privileged access abuse, including processes and technologies used to secure third party and privileged end user access to their networks and corporate resources. Industries represented in this research are healthcare, public sector, industrial and manufacturing and financial services.

According to the findings, organizations spend an average of $88,000 annually to detect, respond and recover from third-party data breaches and privileged access abuse. To prevent these abuses, the IT security team spends an average of 134 hours weekly analyzing and investigating the security of third party and internal privileged access practices and allocate an average of $43 million or 25 percent of their annual $171 million IT security budget to reduce third party and privileged internal access risks.

“Third-party access is necessary to conduct global business, but it is also one of the biggest security threats and organizations can no longer remain complacent,” said Joel Burleson-Davis, Senior Vice President of Worldwide Engineering, Cyber, at Imprivata. “While some progress has been made, organizations are still struggling to effectively implement the proper tools, resources, and elements of a strong third-party risk management strategy. Cybercriminals continue capitalizing on this weakness, using the lack of visibility and uncertainty across the third-party vendor ecosystem to their advantage.”

Both third-party/vendor and privileged internal user data breaches and cyberattacks are a security risk for organizations. According to the research, organizations need to prioritize equally reducing privileged access risks caused by third parties/vendors and internal users.  Some 47 percent of respondents say their organizations experienced a data breach or cyberattack that involved one of their third parties/vendors accessing their networks. Forty-four percent of respondents say these incidents involved internal users with privileged access.

Following is a summary of the research findings. 

To avoid security incidents, organizations need to assign the appropriate amount of access and no more. According to the research, granting too much privileged access to insiders causes more data breaches and cyberattacks than when given to third parties. Thirty-four percent of respondents say these incidents were the result of a third party/vendor having too much privileged access. However, 45 percent of respondents say it was caused by providing internal users with too much privileged access.

Third party security incidents are more likely to result in regulatory fines (50 percent vs. 30 percent of internal users) and lawsuits (41 percent vs. 24 percent of internal users). The primary consequences of a privileged user access data breach and cyberattack were the loss of business partners (51 percent of respondents), loss of reputation (44 percent of respondents) and employee turnover (43 percent of respondents).

Assigning the right amount of privileged access is critical to not only preventing security incidents but to ensuring third parties and employees have enough access to be productive.  An average of 20 third parties/vendors and an average of 20 employees have privileged access rights. The challenge for those managing permissions is to be able to determine the correct level of privileged access required without providing too much access. However, less than half (49 percent of respondents) say their organizations provide third parties/vendors with enough access and nothing more to perform their responsibilities. Forty-seven percent of respondents say their organizations provide employees with the appropriate amount of access to do their work.  

Organizations without an inventory of third parties/vendors say it is primarily due to a lack of resources. Complexity of multiple internal tech platforms is a barrier to having an inventory of privileged internal users. Fifty percent of respondents say their organizations do not have a comprehensive inventory of all third parties with access to their networks due to the lack of resources to track third parties (45 percent of respondents), no centralized control over third-party relationships (37 percent of respondents) and complexity in third-party relationships (27 percent of respondents). Only 47 percent of respondents have a comprehensive inventory of all privileged internal users due to complexity of multiple internal tech platforms (53 percent of respondents), no centralized control over internal user privileges (44 percent of respondents) and lack of resources to track internal user privileges (41 percent of respondents).

Reducing third party and privileged internal access risks can be overwhelming because of the many factors that complicate the process of managing permissions. Forty-four percent of respondents say managing third party/vendor permissions can be overwhelming and a drain on internal resources. Almost half (48 percent of respondents) say managing internal privileged access is difficult. Reasons for the difficulty in managing permissions is because of the complexity of insider user roles and third- party relationships and the number of access change requests due to personnel changes, mergers and acquisitions and organization restructuring.

The lack of a consistent, enterprise-wide privileged user access management approach can lead to gaps in governance and oversight. Only 42 percent of respondents say their organizations have a strategy that ensures technologies, policies and practices are used consistently across the organization to reduce privileged access risks. Twenty-six percent of respondents say the strategy is not applied consistently and 19 percent of respondents say it is ad hoc or informal (Q5).

Artificial intelligence (AI) and machine learning (ML) can increase efficiency and decrease human error taking steps to reduce privileged access abuse. Forty percent of respondents say AI and ML is part of their strategy to reduce privileged access abuse.

The primary benefits are improved efficiency of efforts to manage third party and internal privilege access abuse (59 percent of respondents), reduced human error related to managing third-party and internal privileged access (51 percent of respondents) and increased support for the IT security team dedicated to managing third party and internal privileged access abuse (50 percent of respondents).

Preventing privileged access abuse can be overwhelming, requiring technologies and processes that enable organizations to effectively monitor and audit who has access to sensitive and confidential data. However, only 46 percent of respondents monitor and review provisioning systems and only 41 percent of respondents say their organizations conduct regular privileged user training programs. Instead, 57 percent of respondents say their organizations depend upon thorough background checks before issuing privileged credentials and 55 percent of respondents say their organizations conduct manual oversight by supervisors and managers.

The primary barrier to granting and enforcing privileged user access rights is the inability to apply access policy controls at the point of change request (67 percent of respondents). Other barriers are the length of time it takes to grant access to privileged users (not meeting the organization’s SLA with the business), too expensive to monitor and control all privileged users and granting access to privileged users is staggered, all 61 percent of respondents.

Monitoring third-party and vendor access can reduce third party and vendor access risk. However, only 41 percent of respondents are monitoring third-party and vendor access to the network. Reasons for not monitoring third party and vendor access to sensitive and confidential information are confidence in the third party’s ability to secure information (59 percent of respondents), the business reputation of the third party (45 percent of respondents) and the lack of internal resources to check or verify (44 percent of respondents).

Recommendations to mitigate third-party and privileged internal access risks

  • Implement the principle of least privilege. Grant users only the minimum access required to perform their duties. Regularly review and audit access and conduct periodic reviews to identify and revoke unnecessary permissions.
  • Maintain an inventory of third parties and internal users with privileged access. Without such inventories many organizations don’t have a unified view of privileged user access across the enterprise.
  • Leverage access management tools such as Vendor Privileged Access Management (VPAM) and Privileged Access Management (PAM) to secure and manage an organization’s privileged access to information resources and ensure each user has minimal, controlled access, reducing the chance of a third-party vendor breach and providing organizations with control and visibility. According to the research, 55 percent of respondents with a VPAM say it is highly effective and 52 percent of respondents with a PAM say it is highly effective.
  • Educate users on security best practices. Train employees about the importance of data protection and responsible access management. Only 41 percent of respondents say their organizations conduct regular privileged user training program.
  • Ensure there are sufficient resources, in-house expertise and in-house technologies to improve the efficiency and security of the access governance process. Specifically, to keep pace with the number of access change requests and to reduce burdensome processes for third parties and business users requesting access.
  • Automate the processes involved in granting privileged user access and reviewing and certifying privileged user access to meet growing requests for access changes.

To read the full findings of this report, visit Imprivata’s website. 

Leave a Reply

Your email address will not be published. Required fields are marked *