Third- and Fourth-Party Blind Spots Escalate as Vendor Access Gaps Undermine Cyber Resilience

As outsourcing accelerates and digital ecosystems grow more complex, organisations are finding that traditional vendor risk management strategies aren’t enough. Recent Imprivata data reveals just how exposed organisations are to third- and fourth-party risk. Nearly half (47%) of organisations experienced a breach involving a third party in the past year, and 34% were due to vendors having too much privileged access.

“Third-party involvement in data breaches has nearly doubled this year from 15 percent to nearly 30 percent,” said Maria Phillips, Imprivata Senior Counsel, Privacy & Compliance, in a recent Help Net Security article. “Many organisations have sharpened their focus on third-party risk management, carefully vetting the security practices of their vendors. However, a critical gap remains that many organisations overlook: fourth-party risk.”

The growing reliance on external vendors spans all sectors—from healthcare to manufacturing to financial services—and increasingly includes subcontractors and unmanaged tools, also known as fourth parties. Incidents like the Pandora and Salesforce breach, the Change Healthcare attack, the MOVEit ransomware campaign, and the SolarWinds supply chain attack highlight the ease with which attackers exploit these downstream connections and gaps in vendor access control.

Imprivata data shows that organisations now manage access for an average of 20 vendors, yet only 50% maintain a comprehensive inventory of those vendors. Fourth-party exposure, when a vendor’s vendor has access, adds another layer of risk that many teams aren’t equipped to monitor. In fact, 59% of organisations do not monitor third-party access at all, and 55% of those using access management solutions don’t trust their vendor privileged access management tools to reduce the risk.

Manual processes, lack of centralised control, and limited internal resources are some of the biggest culprits behind why organisations are struggling to combat the third-party access threat. Imprivata data shows that IT and security teams report spending 134 hours per week investigating third-party and privileged access risks.

To close this visibility gap as supply chain threats show no sign of slowing down, experts recommend building and maintaining an accurate, centralised inventory of all third and fourth parties with network access. In addition, understanding how those vendors handle data and security independently is crucial.

“Contract audit clauses are important, as well as the need to move past the ‘trust but verify’ concept to a Zero-Trust approach,” said Phillips, who also heads up Imprivata’s data privacy and AI governance teams, in a recent LinkedIn Live discussion. “You have to know for certain that vendors are adhering to the agreed security standards.”

Other recommendations include strengthening third-party identity management and enforcing tighter credential management practices. That means replacing broad VPN access with fine-grained access controls, including least privilege access, time-bound credentials and named user authentication.

Despite these challenges, there is progress. New tools like vendor privileged access management (VPAM) platforms and AI-driven analytics are helping automate oversight. At the same time, regulatory drivers like the EU’s DORA framework, NIS2, and updated HIPAA and FTC guidelines are increasing pressure on organisations to enforce tighter access governance for direct vendors, subcontractors, and cloud service partners.

As the vendor ecosystem grows more complex, experts urge that visibility, accountability, and proactive access governance are no longer optional, but foundational to building cybersecurity resilience.

For more information on this topic, check out Phillips’ recent Help Net Security article: “Your supply chain security strategy might be missing the biggest risk.”

Learn more about how vendor privileged access management solutions can safeguard your most sensitive data and close gaps in third- and fourth-party risk.