Russell fields five: Answers to five key questions on managing third-party vendor access risks
Russell Dowdell, Imprivata Senior Director, Product Management, Privileged Access, tackles five pivotal questions, sharing valuable insights and best practices in managing risks stemming from vendor access.
There’s no way around it: most businesses can’t properly function without significant help from various supply chain partners including third-party vendors. And as organizations’ external connectivity needs have grown, so have inherent security risks, due to the expanded attack surface cybercriminals are aggressively exploiting.
Given the alarming risks created by vendor access, Russell Dowdell, Imprivata Sr. Director, Product Management, Privileged Access, sheds timely light on the issue. Highlighting revealing findings from a new analyst report, he provides insightful answers to five pivotal questions on the challenges at hand, while sharing vendor privileged access management best practices.
1) How much of a threat is third-party remote access to organizations?
It’s a big problem and it’s only getting bigger. Third-party remote access is a growing cybersecurity threat, with 47% of organizations experiencing a breach involving vendor network access in the past year. And it clearly has organizations’ attention: 48% of surveyed respondents see third-party access as their weakest attack surface, while 64% expect these breaches to increase or remain constant over the next year.
The issues are primarily driven by third parties often having too much or poorly monitored access to organizations’ networks and privileged accounts. That makes them especially attractive targets for cyber attackers, as they provide a path of least resistance. The lack of consistent access strategies and oversight amplifies these risks, especially as third parties aren’t subject to the same controls as internal staff.
2) What are the potential consequences of a data security breach stemming from vendor access?
Breaches tied to third-party access carry widespread, serious repercussions. For starters, 53% of organizations affected by these incidents suffered the loss or theft of sensitive data. Half faced regulatory fines, and 49% severed relationships with the responsible vendor. Additional consequences included loss of business partners, lawsuits, revenue losses, ransom payments, plus the erosion of customer trust and marketplace reputation. These outcomes underscore the high-stake financial, operational, and brand equity damage that can result from a third-party breach.
In addition, the risks are exacerbated when you step back and consider the potential impact of the broader supply chain vulnerability equation. Compounding the risk factor is the involvement of fourth-party access – vendors’ vendors – where the opportunity to impose access controls is totally out of your hands.
3) What are some of the key reasons why third-party access presents a significant risk?
It’s especially risky due to several factors, including limited visibility, excessive privileges, and insufficient oversight. And it’s important to keep in mind that unlike employees, third parties are difficult to monitor, as they often bypass standard governance and identity lifecycle controls. Those vendor access controls include the ability to ensure reliable identification, up-to-date credentialing, and the use of multifactor authentication.
It's worth reemphasizing an earlier point that because many vendors often have more access than necessary, it makes them prime targets for attackers as a conduit to the organizations the vendors serve. In fact, 34% of breaches were the result of a third-party partner having too much privileged access. Compounding this, 35% of organizations weren’t sure if vendor access was the breach cause, showing a lack of insight into access activities. Without centralized control including defined ownership over managing and granting access, as well as comprehensive inventories of who has access and why, organizations struggle to detect and prevent misuse.
4) Why are organizations having a hard time managing third-party access risks?
Organizations face numerous challenges in managing third-party risks. Chief among them are the absence of oversight/governance (50%), complex regulatory requirements (48%), and insufficient resources or budget (41%). It can be challenging for internal teams to analyze and investigate third-party and privileged access, given the resource constraints many organizations face. All of those factors add up to a reduction in overall access visibility and accountability.
On top of that, only 50% of organizations maintain a comprehensive inventory of third parties with network access, while 59% don’t monitor their vendors’ access. A related concern is that nearly two-thirds of organizations fail to perform due diligence regarding vendors’ security protocols, lacking internal resources and relying on misplaced confidence in vendors rather than verified controls.
5) What best practices can organizations leverage to better manage these challenges?
An overarching point to consider is that only 58% of organizations have a clear, holistic, consistently applied strategy to better manage third-party access risks. But there’s good news: proactive organizations are starting to move the needle in the right direction. Here are some of the best practices they’re implementing:
Carefully vetting vendors – Vendor accountability is paramount, and the earlier noted overconfidence in vendors’ security practices can turn out to be an Achilles heel. Don’t assume they have everything nailed down. Conducting a vendor security assessment – a detailed evaluation of their protocols – is a vital step in safeguarding your sensitive data. As part of that, it’s important to find out if they’ve ever been hacked, who exactly will be touching your information, where it will be stored, and for how long.
Leveraging fine-grained access controls – Rigorously adhere to the principle of least privilege access, which involves granting only the level needed to perform a task – and no more. Consider the scope of access that’s actually required to get a certain job done, and ensure access is time-bound and task-specific. Regularly review access rights, adjusting them based on role changes, inactivity, onboarding/offboarding needs, and contract expirations.
Auditing and monitoring third-party access – Audit trails are crucial components of a robust, automated monitoring program. Every third-party session must be linked to a named identity, not a generic shared account. Logs should capture who got in, what they did, why, when, and whether any data was pulled or changed. This allows for a clear picture in the event something goes wrong, enabling full traceability, while supporting incident response and accountability.
Delegating access permissions – Vendor support often involves working closely with users in departments across the organization, and as a result, users know the vendor well. When vendors request access, IT might not be the right team to open the door for them. Delegation ensures that when needed, the ultimate approvals for access can be handled by an informed party who's expecting the access and knows when it's right and when it's not.
Implementing a purpose-built solution – With so much at stake, it’s shortsighted and counterproductive to consider using an internal privileged access management solution for third-party access management. A vendor privileged access management solution is specifically designed to lower the risks of cyberattacks, while detecting and remediating them faster. Internal-use solutions lack the strong control, visibility, and audit monitoring capabilities needed for use with external parties.
The bottom line is that implementing a strategic game plan featuring a comprehensive third-party access solution that delivers strong control, visibility, and peace of mind will efficiently safeguard your most sensitive information. And there’s no better time to get started than right now.
For a look at additional survey findings, see the 2025 Ponemon Institute report “The state of third-party access in cybersecurity.” To learn more about vendor privileged access management, visit our website.