New Report from One Identity Spotlights Significant Gaps in Third-Party User Access Management Practices Globally, Exposing Organizations to Cybersecurity Risks


  • Survey of more than 1,000 IT security professionals exposes shortcomings in organizations' approach to managing third-party user identity and access, leaving their organizations vulnerable to compromise
  • Ninety-four percent give third-party users access to their network, and 61% are unsure if those users are accessing or attempting to access unauthorized data
  • The majority (72%) of organizations grant third-party users privileged permissions, giving them administrative access to sensitive information
  • Only 15% are very confident that third-party users follow the same access rules as their internal users, yet only one in five (21%) immediately deprovision inactive third-party users

ALISO VIEJO, Calif., Nov. 20, 2019 (GLOBE NEWSWIRE) -- One Identity, a proven leader in identity-centered security, today released new global research revealing that many organizations across the globe fall short of effectively managing access for third-party users, exposing them to significant vulnerabilities, breaches and other security risks. Based on a Dimensional Research-conducted survey of more than 1,000 IT security professionals, the research evaluates organizations’ approaches to identity and access management (IAM) and privileged access management (PAM), including how they apply to third-party users – from vendors and partners, to contractors and seasonal workers. Among the survey’s most noteworthy findings are that while 94% of organizations grant third-party users access to their network, 61% admit they are unsure if those users attempted to or successfully accessed files or data they are not authorized to access.

According to Gartner, the majority of organizations today rely on an increasing number of third parties for business services compared to three years ago. With an expanding group of users gaining access to an organization’s network comes an expanding cybersecurity risk surface, and it is critical that businesses take the proper steps to manage and govern third-party users and their access in the same way they manage and govern internal users. However, One Identity’s survey reveals that many organizations are not implementing strong user governance and access practices, leaving them vulnerable to cyber compromise. Additional top findings from the report include:

  • Third-party user access to the corporate network is ubiquitous, but what information those users access is worryingly unclear at many organizations.
    • Ninety-four percent of respondents say that third parties access their network; 72% give third parties privileged (administrative or superuser) access.
    • Only 22% know for certain their third-party users are not attempting to access or are successfully accessing unauthorized information.
    • Nearly one in five (18%) report third parties have attempted to or successfully accessed unauthorized information; more than three in five (61%) don’t know for certain if this has happened.
  • Ineffective third-party user lifecycle management practices are widespread, which puts organizations at increased risk.
    • Only 21% of organizations immediately deprovision (or revoke access for) third-party users when the work they do for the company ceases.
    • One-third (33%) of organizations take more than 24 hours to deprovision third-party users or do not have a consistent deprovisioning process.
  • Organizations predominantly lack confidence that third-party users follow security best practices and policies—and likely trust them too much.
    • Only 15% are very confident that their third parties follow access management rules, such as not sharing accounts and ensuring password strength.
    • One in four (25%) suspect third parties do not follow the rules or know for certain they do not.
    • However, 45% of respondents trust third-party users the same amount or more than they do their own employees to follow their organizations’ security policies.
  • Retail is the most at-risk industry when it comes to third-party access.
    • Nearly three in 10 (28%) retail organizations admit third-party users have successfully accessed or attempted to access files or data that they were not authorized to access.
    • One in five (20%) of financial services organizations, 17% of technology organizations, and 14% of healthcare organizations have experienced the same.
    • One in four (25%) respondents from retail organizations say they give all or most of their third-party users privileged access. By comparison, the same holds true for 18% of technology organizations, just 10% of healthcare organizations and only 10% of manufacturing organizations.

“Third-party users are necessary in the day-to-day operations of most modern organizations; however, if third-party access is improperly managed, the security risk associated with these users is detrimental,” said Darrell Long, vice president of Product Management, One Identity. “Organizations must recognize that their security posture is only as strong as its weakest link (typically third parties connected to their network), making it absolutely vital that they manage third-party identities and access just as they would their own employees’.”

In order for organizations to prevent becoming the next victim of a breach due to unauthorized third-party user access, as has happened in prominent recent breaches, a strong security posture built around privileged access management (PAM) and identity governance and administration (IGA) is critical. According to One Identity’s “Third-Party Access and Compromise” study, many companies struggle to implement some of the most basic PAM and IAM practices when managing third-party users, such as immediately deprovisioning users and ensuring rules for managing access (such as not sharing accounts and credentials) are being followed.

One Identity helps organizations tackle their biggest IGA and PAM challenges across all users, including third parties. By offering an end-to-end suite of identity governance and administration and privileged access management solutions designed to virtually eliminate the complexities and time-consuming processes often required to properly manage and govern identities across standard users and privileged users and across the hybrid enterprise including the ubiquitous Active Directory/Azure Active Directory environments, One Identity helps organizations minimize third-party access challenges and risks, putting them in a better position to defend themselves from breaches and other security incidents.

About the 2019 One Identity Third-Party Access and Compromise Study
Conducted by Dimensional Research, One Identity’s 2019 Third-Party Access and Compromise study surveyed 1,005 IT security professionals from midsize and large enterprises on their current experiences, trends and approaches to Identity Governance and Administration (IGA), PAM and Identity SaaS. The study consisted of an online survey of IT professionals in midsize or large organizations with responsibility for security and who are very knowledgeable about IAM and privileged accounts. A total of 1,005 individuals from the U.S., Canada, U.K., Germany, France, Australia, Singapore and Hong Kong completed the survey.

One Identity offers a free online Executive Summary of the data as well as a Key Findings Report.

About One Identity
One Identity, a Quest Software business, lets organizations achieve an identity-centric security strategy with a uniquely broad and integrated portfolio of identity management offerings including account management, identity governance and administration and privileged access management.  One Identity empowers organizations to reach their full potential, unimpeded by security, yet safeguarded against threats. One Identity and its approach is trusted by customers worldwide, where more than 7,500 organizations worldwide depend on One Identity solutions to manage more than 125 million identities, enhancing their agility and efficiency while securing access to their systems and data – on-prem, cloud or hybrid. For more information, visit http://www.oneidentity.com.

Media contacts
Andrea Ipolyi
One Identity Global PR
+36 1 398 6700
andrea.ipolyi@oneidentity.com

Ali Mapplethorpe
Highwire PR
415-675-1457
oneidentity@highwirepr.com