Why Most Organizations are Failing at Securing Third-Party Remote Access

It shouldn’t be surprising to you that third-party access is risky. And don’t just take my word for it; according to the Ponemon Institute, 61 % of breaches are caused by a third party, and 44% of organizations who suffered a breach by a third party have described it as “business altering.” And these companies don’t just have one or two vendors accessing their networks, in fact, the average organization has 25 unique vendor or third-party entities accessing privileged data or systems and spends a total of 5,000 hours managing access and investigating his incidents.

If the numbers aren’t scary enough, check out the results: 12-36 critical downtime events happen per year on vendor managed systems at an average cost to an organization of $1.5 million; not to mention regulatory or unquantifiable reputational risk. In other words, this doesn’t necessarily talk about the things we can’t put a price to: the lost business for a data breach and the fact that customers and consumers lose trust. Therefore, it’s no surprise, based research, that a majority of organizations rate the level of risk from third-party access to privileged systems or data, as either “high” or “extremely high.”

So, why are organizations failing to secure and prevent breaches, keep vendor systems up and running, and efficiently manage vendor or third party access? Below are common reasons and some recommendations.

Why most fail

• “We don’t know our vendors.” Only 10% actually know all vendors that need access, 40% have systems or automation to manage identities, and 60% default to manually managing identities in their directory or, even worse, leave it to their vendors or third parties.
• “We can’t or won’t standardize on one tool and have a third party lens.” Only 30% of organizations have standardized third-party privileged access onto a single tool. Not only is this inadequate for security or compliance, but think of the cost to manage and support multiple non-integrated point solutions. 

How you can succeed

• Know your vendors. Create a process that allows you to identify, control, and audit third-party remote access. Identifying third parties by using multi-factor authentication, employment verification, source IP, and self-registration workflow improves identification. Controlling third party access by using a least privileged model and time-based credentials will help ensure they have access to only what they need, when they need it. And auditing capabilities such as video recording and keystroke audits during sessions enhances security and compliance.
• Standardize around one tool and have a third party lens (i.e., visibility). Organizations often use internal access (e.g., privileged access management, identity and access management, and identity governance and administration) or remote desktop management (e.g., VPNs) applications to manage third-party remote access. In short, this is like trying to fit a square peg into a round hole; you might be able to get it to work, but it will never fit exactly. Remember, third parties have unique needs, risks, and need a dedicated solution. Employee-focused applications either lack the security for third party access or compliance with vertical-specific regulations around data access (i.e., HIPAA, HITECH, PII, PCI, NERC/FERC, CJIS, etc.).

The just-in-time economy has accelerated the complexity of businesses and both the operations and infrastructure required to support them, leaving them more vulnerable than ever against an expanding attack surface. Most organizations know they aren’t managing third party access well. But knowing the risks and focusing on solving the problem is the first step. Third parties have unique needs, unique risks, and therefore require a unique solution focused on the problem. Find a product that is dedicated to vendor privileged access management that allows organizations to identify, control, and audit third-party access in a secure and compliant way. To learn more about why most organizations struggle with securing third-party remote access, view our webinar that focuses on the most common vulnerabilities and weaknesses in the most common third-party remote access tools organizations are trying to use for vendor access.