Today, Bomgar released the 2017 Secure Access Threat Report, new research that revealed insider and third party access to be growing threats for organizations around the world. The survey of more than 600 IT and security professionals explores the visibility, control, and management that IT organizations in the U.S. and Europe have over employees, contractors, and third-party vendors with privileged access to their IT networks.
The respondents outlined two primary—yet very distinct—threats:
- Insiders, defined as employees or people acting as an employee for the business (i.e., freelancers or on-premises contractors).
- Third-parties, defined as external vendors or suppliers granted access to business systems.
For the majority of companies, suffering an information security breach is no longer a question of if, but when. Despite being aware of the threats, most organizations still allow a myriad of internal and external parties to access their most valuable systems and data, placing a lot of trust in employees and third-party vendors. Unfortunately, they also lack a robust system for managing, controlling, and monitoring the privileged access that these individuals, teams and organizations have.
The Threat from Within
The report revealed that 90 percent of security professionals trust employees with privileged access most of the time, but only 41 percent trust these insiders completely. Despite placing a lot of trust in employees by granting them privileged access, security professionals are paradoxically aware of the numerous risks that these individuals pose to the business. While most were not primarily worried about breaches of malicious intent, they were concerned that a breach was possible due to employees unintentionally mishandling sensitive data, or that employee’s administrative access or privileged credentials could easily be phished by cyber criminals. Yet, businesses are still falling behind with only 37 percent of respondents having complete visibility into which employees have privileged access, and 33 percent believing former employees could still have corporate network access.
Another key finding from the report is that security solutions are hindering productivity. As a rule, employees want to be efficient at work and, when faced with security measures that appear to hinder productivity, immediately institute shortcuts without considering the risks. To address this, organizations must implement a security solution that can be seamlessly integrated into the applications and processes that employees already use.
External suppliers continue to be an integral part of how most organizations do business, with an average of 181 vendors accessing a company’s network every week. This is more than double the number from 2016. Not only is this practice on the rise, so too is the prevalence of breaches that occur due to third-party access.
More than two-thirds of our respondents have already experienced a breach that was “definitely” (35 percent) or “possibly” (34 percent) linked to a third-party vendor. While many security professionals admit that they afford external groups too much trust, action has not followed this recognition. Processes to control and manage privileged access for vendors remain lax, as evidenced by only 34 percent of respondents expressing total confidence that they can track vendor log-ins. A slightly higher percentage (37 percent) believe they can track the number of vendors accessing their internal systems.
Considering these factors, we were surprised to discover that more than half of organizations rely on just one employee to manage third-party access rights. If so few businesses have a handle on how many third-parties have access to their network and what those vendors are doing with that access, then having a single person managing it all is not a sustainable situation and represents serious risk. As the vendor ecosystem grows, companies must change their approach and employ a privileged access management solution that provides visibility into who is accessing the network—and when—without impeding business processes.
So how can organizations mitigate these risks and better protect the access to their most critical systems? Look no further than Bomgar Privileged Access. Our solutions enable security professionals to control, monitor, and manage access to critical systems by authorized employees, contractors, and third-party vendors. Bomgar’s unique, VPN-free approach allows companies to quickly gain control of privileged access to both traditional and web-based systems to protect against cyberattacks and meet compliance requirements without hindering productivity.