Bomgar, the identity and access management solutions provider for privileged users, has launched its 2018 Privileged Access Threat Report. The global survey explores the visibility, control, and management that IT organisations in the U.S. and Europe have over employees, contractors, and third-party vendors with privileged access to their IT networks.
According to the report, formerly called the Secure Access Threat Report, 72% of UK financial service firms felt unsure whether they had possibly or definitely suffered a breach due to third-party access, and 69% also said they had possibly or definitely suffered an insider related breach in the last year.
With the advent of open banking, the perimeter of a bank's sensitive data has now extended outside of its own internal network, and financial institutions now need to make its customers' information available through a whole host of third-party providers.
In fact, the research highlighted that 72% of UK financial organisations have seen an increase in the vendors that it works with in the past year. This is alarming when compared to the finding that the same number of UK financial organisation, 72%, claimed that they could have experienced a breach due to third-party access in the last 12 months. In addition to this uncertainty, 69% of UK financial services admitted to having already suffered a serious information security breach or expected to in the next six months due to third-party access and insider threats.
Despite this, Bomgar's research discovered that financial services is the most trusting industry when it comes to network access, with 48% of these organisations claiming that they completely trust third-party vendors. This is interesting as financial services were also found to be the most likely industry to experience an insider or third-party breach in the last year compared to the other industry analysed in the research, which included the manufacturing, healthcare, telecoms, government and professional services sectors.
"The dangers that vendors and other third-parties present to the financial services industry shouldn't be underestimated," commented Stuart Facey, VP EMEA, Bomgar. "More worryingly though is that financial institutions seem unaware of the root cause of the threat. The unpredictability of these third-parties puts businesses at increased risk. They often have a high-level of privileged access to internal networks and sensitive information that financial services organisations have poor visibility and control over, potentially leaving a key attack vector unsecured. Third parties may also have a poor cyber security posture and one that financial services organisations will have little control over."
However, a large part of this risk sits with the organisations themselves, as the report found that 69% rely on third-party vendors too heavily, and 76% admit that having cultures that are too trusting of partners poses a risk to their business.
"Following Equifax's breach, financial institutions need to realise the fiscal and reputational implications that these incidents can have and assess how much access they give to third-parties that operate within their network," states Stuart Facey. "With open banking on the rise, the risks that come from sharing data and network access to an ever-expanding list of partners is only going to grow."
The report did show that some organisations are managing these risks with a privileged identity and access management (PIM/PAM) solution. These same organisations experience less severe security breaches and have better visibility and control than those that use manual solutions or no solution at all. In fact, less than half (34%) of organisations using PIM/PAM experienced a serious breach or expect to in the next 6 months, compared to 66% of those without control of their privileged users.
"As the vendor ecosystem grows, organisations need to accept that the way to mitigate risks is by managing privileged accounts through technology and automated processes that not only save time, but also provide visibility across the institution's whole network," commented Stuart Facey. "By implementing cybersecurity policies and solutions that also speed business performance, organisations can begin to seriously tackle third party risks."
1021 key decision makers with visibility over the processes associated with enabling internal users and external parties to connect to their systems completed a survey in February 2018. Those surveyed were all IT professionals across operations, IT support/helpdesk, IT security, compliance and risk or network/general IT roles. Respondents were from a range of industries, including manufacturing, finance, professional services, retail, healthcare, telecoms and the public sector. The survey was conducted across the United Kingdom, the United States, Germany and France.