Insider threats and third-party access are growing security vulnerabilities facing organisations and enterprise IT systems. These growing threats were highlighted in a survey from Bomgar, which explores the visibility, control, and management that IT organisations in the US and Europe have over employees, contractors, and third-party vendors with privileged access to their IT networks.
Despite rising awareness of the threats posed by users with privileged access permissions, most organisations still allow a myriad of internal and external parties to access their most valuable systems and data.
Many are placing trust in both employees and third parties without a proven means of managing, controlling, and monitoring the access that these individuals, teams and organisations have to critical systems and networks.
>See also: The enemy within: data thieves lurk within an organisations’ ranks
The respondents in the report outlined two primary, yet distinct threats: insiders and third parties. Insiders are classified as employees or people acting as an employee for the business, including freelancers or on-premises contractors, while third parties are defined as external vendors or suppliers granted access to business systems, including outsourcers.
It found that 90% of security professionals trust employees with privileged access most of the time, but only 41% trust these insiders completely. Despite placing a lot of trust in employees by granting them privileged access, security professionals are paradoxically aware of the numerous risks that these individuals pose to the business.
While most were not primarily worried about breaches of malicious intent, they were concerned that a breach was possible due to employees unintentionally mishandling sensitive data, or that employee’s administrative access or privileged credentials could easily be phished by cyber criminals. Yet, businesses are still falling behind with only 37% of respondents having complete visibility into which employees have privileged access, and 33% believing former employees could still have corporate network access.
Generally, employees want to be productive and responsible at work, suggesting that most employees are not malicious, but rather skirt security best practices to speed up productivity.
This is driving the need for access solutions that prioritise both productivity and usability, without sacrificing security, that can be seamlessly integrated into applications and processes that employees already use.
>See also: Insider threat denial: who is in the driving seat?
“It only takes one employee to leave an organisation vulnerable,” said Matt Dircks, Bomgar CEO. “With the continuation of high-profile data breaches, many of which were caused by compromised privileged access and credentials, it’s crucial that organisations control, manage, and monitor privileged access to their networks to mitigate that risk. The findings of this report tell us that many companies can’t adequately manage the risk related to privileged access. Insider breaches, whether malicious or unintentional, have the potential to go undetected for weeks, months, or even years – causing devastating damage to a company.”
The report also uncovered that data breaches through third-party access are widespread. External suppliers continue to be an integral part of how most organisations do business.
On average, 181 vendors are granted access a company’s network in any single week, more than double the number from 2016. In fact, 81 percent of companies have seen an increase in third-party vendors in the last two years, compared to 75% the previous year.
With so many third-parties granted access to an organisation’s systems, perhaps it’s no surprise that more than two thirds (67%) have already experienced a data breach was ‘definitely’ (35%) or ‘possibly’ (34%) linked to a third-party vendor.
>See also: Mass disruption caused to UK businesses from third party failures
While 66% of security professionals admit that they trust third-party vendors too much, action has not followed this recognition. Processes to control and manage privileged access for vendors remains lax, as evidenced by only 34% of respondents being totally confident that they can track vendor log-ins, and not many more (37%) confident that they can track the number of vendors accessing their internal systems.
“As with insiders, third-party privileged access presents a multitude of risks to network security. Security professionals must balance the business needs of those accessing their systems – whether insiders or third-parties – with security,” added Dircks. “As the vendor ecosystem grows, the function of managing privileged access for vendors will need to be better managed through technology and processes that provide visibility into who is accessing company networks, and when, without slowing down business processes.”