Industry Insights with Isa Jones

Breach Notification , Identity & Access Management , Incident & Breach Response

Lack of Access Management Is Causing Data Breaches

Avoid Becoming the Next Victim by Investing in Proactive Measures
Lack of Access Management Is Causing Data Breaches

According to the 2022 Ponemon Institute report, 70% of the organizations that experienced a third-party data breach stated the breach came from giving that third party too much access.

See Also: New OnDemand | Reacting with Split-Second Agility to Prevent Software Supply Chain Breaches

If an outsider has the keys to the vault, it’s not a far stretch to think they may end up robbing you, or a bad actor may steal those keys from the outsider and waltz right into the vault. That’s what’s happening with organizations of all sizes and industries when it comes to cyberattacks. Businesses are relying more and more on third parties and digitizing more and more, but aren’t taking the necessary access management steps to minimize those third-party risks. The result? The number of organizations involved in a third-party breach has increased from 51% to 55%.

How Are Organizations Struggling With Access Management?

Unfortunately, organizations are struggling with three key tenets of access management: governance and visibility, access control, and monitoring.

Here are three key stats from the report mentioned above that highlight just how much organizations are struggling when it comes to managing and controlling their third parties and the vast access they may have to critical assets.

  • 64% of organizations don’t have visibility into the level of access and permissions for both internal and external users.
  • 57% of organizations are unable to designate only enough access to perform designated responsibilities.
  • 58% of organizations aren’t monitoring third parties because they don’t have the internal resources.

Why aren’t organizations taking these steps? There’s no single answer, but when asked in the survey, 67% of organizations stated that they feel managing third-party permissions and identities is overwhelming and a drain on internal resources. Businesses are short-staffed, overworked, and don’t have the resources to focus on that third-party access point. Cyberattackers are also noticing this, and they're taking advantage of the fatigue to make some moves.

Hackers Are Taking Advantage of these Issues

In the same way car thieves check for unlocked car doors, cyberattackers are constantly prodding and poking, looking for un-managed access points into an organization’s system. Third parties often end up being that unlocked door into an organization, exactly for the reasons mentioned above – businesses are not properly managing or controlling that access. The headlines — with major names like SolarWinds and Colonial Pipeline in them — have shown how time and time again, these third parties are finding themselves in the crosshairs of an attack. The costs of hacks are rising, the amount of ransomware is rising, and the number of organizations that have been breached will also rise unless organizations take action.

How Organizations Can Mitigate Third-Party Risk

Visibility, control, and monitoring. We know where organizations are struggling and where their pain points lie — now it’s just a matter of fixing what is broken. Organizations need to invest in proactive measures, like cybersecurity staff, third-party management, and even automated access management tools to prevent themselves from becoming the next victim. There are multiple solutions on the market that utilize top-tier technology to manage access effectively and efficiently, but organizations must pull the trigger themselves and start taking back control. With the number and cost of hacks going up, it’s an investment you can’t afford not to make.



About the Author

Isa Jones

Isa Jones

Content Writer, Securelink

Isa Jones is the content writer for SecureLink. Based in Austin, Jones has a decade of writing and content strategy experience, including a background in journalism.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing ffiec.bankinfosecurity.com, you agree to our use of cookies.