Man typing username and password on virtual screen showing third-party data breach

51% Of Organizations Experienced a Third-Party Data Breach After Overlooking External Access Privileges

SecureLink released its third-party data breach report with the Ponemon Institute, highlighting the gap between perceived third-party access threats and the security mitigations adopted.

The report titled “A Crisis in Third-party Remote Access Security” found that organizations were not implementing the necessary security measures to mitigate third-party remote access risks.

The failure to adopt the necessary security measures exposed their networks to potential unauthorized third-party access and compliance risks. Consequently, nearly three-quarters (74%) of organizations breached within the last 12 months said the exposure originated from granting too much privileged access to third parties.

Key findings of the “Crisis in Third-party Remote Access Security” report

The report blamed third-party data breach incidents on the organizations’ failures to mitigate third-party access risks. Approximately 44% of organizations experienced a data breach within the last 12 months.

“Over half of organizations have experienced a data breach caused by third parties that led to the misuse of sensitive or confidential information,” the report found.

Unchecked privileged access by third parties could also be responsible for the third-party data breach epidemic, according to nearly three-quarters (74%) of the respondents.

Similarly, 61% of the organizations failed to assess levels of third-party access risks, thus miscalculating the threat posed by various risks.

“If [a] risk is not defined or ranked – meaning all threats are categorized as a risk and rank the same – that means a spam email would fall in the same rank as a virus acutely installed in a software update that’s pushed out to thousands of people.”

More than half (51%) of the respondents said their organizations failed to assess the security and privacy practices of third parties before granting them access to sensitive information.

Similarly, 54% of the respondents did not monitor third parties’ security and privacy practices after granting them access.

The report also found that 63% of the organizations relied on reputation instead of evaluating the security and privacy practices of all third parties.

“Reliance on reputation is the most common reason that organizations are not evaluating the privacy and security practices of third parties,” the report posited.

Another 54% said their organizations lacked identity and access management, capable of taking inventory of all third parties with network access. Nearly two-thirds (65%) could not identify which third parties had access to the most confidential information.

The lack of visibility largely contributed to the prevalence of third-party data breach incidents, according to more than three out of five respondents. 63% of the respondents said they were in the dark about the level of access that internal and external users had into their networks.

Most respondents also said that their organizations lacked a centralized system to manage third-party remote access into their networks. Nearly half (47%) blamed complex third-party relationships.

Discovering and reporting a third-party data breach was problematic for more than half (52%) of the respondents. These organizations were ignorant of the data breach reporting regulations. They also lacked confidence in a third party’s ability to secure information.

Lack of accountability responsible for third-party data breach incidents

Joe Devine, CEO of SecureLink, said that the lack of security, management, and accountability necessary to secure organizations from a third-party data breach was concerning.

“While recent high-profile breaches have done a good job of highlighting the serious risks of unsecure vendor relationships, there is still a lot of work to be done to shift organizations’ mindset when it comes to protecting not only their data, but their customer and partner data too,” Devine added.

Devine urged organizations to “stop taking a fingers-crossed approach” to third-party security.

The report authors also noted that the findings pointed to a crisis in third-party management within all the six stages of the third-party lifecycle.

“Establishing and verifying trusted digital identity across 3rd party B2B relationships is especially challenging during the COVID19 remote work climate,” says Rajiv Pimplaskar, CRO, Veridium. “The Governance, Risk, and Compliance (GRC) profile of a contractor or 3rd party worker is very different when they themselves are offshore and/or operating from an uncontrolled environment.”

Pimplaskar says most third-party relationships are transactional and have high flux thus further exacerbating the issue. He adds that “Remote workforce identity proofing (also known as Know Your Employee – KYE) and strong authentication methods are necessary to reduce the attack surface and mitigate this third-party risk.

“According to Verizon’s Data Breach Investigations Report (DBIR), over 80% of data breaches occur due to stolen credentials. Traditional passwords are easy to compromise and Two Factor Authentication (2FA) using One Time Passcodes (OTP) over SMS is also vulnerable to the Man In The Middle (MITM) attacks.

“Enterprises and consumers need to embrace passwordless authentication methods using “phone as a token” which create a trusted relationship with a certificate exchange between a user and their smartphone. Also, FIDO security keys can be used, depending on the nature of the transaction and level of security desired.”

Garret Grajek, CEO, YouAttest, says that the attack mechanisms employed by hackers are hardly new.

“They succeed simply because of their ability to quickly assess our weaknesses through massive and constant vulnerability scanning, and then select or craft the best malware available to inject the payload of choice.”

He noted that although the payload may have different functionalities, “the actual entry and lateral movement across our enterprises is consistent to known cyber kill chain mechanisms.”

He recommended persistent system hardening and patching, activating real-time alerts to identity changes, especially privilege escalation.

“Remote access for third parties has been a particularly pressing issue since the pandemic began, when much of the workforce shifted to the home and new cybersecurity risks emerged as a result,” says Demi Ben-Ari, CTO and founder, Panorays. “Given these circumstances, it’s unfortunate-but not altogether surprising-that 74% of respondents that suffered a breach said that it was the result of too much third-party privileged access.”

The high prevalence of third-party data breaches that stem from privileged access underscores the need for third parties’ security risk management. This includes “vendor’s preparedness for remote work by checking for MFA, strong passwords, security awareness training and more,” according to Ben-Ari.