Imprivata Study Finds Nearly Half of Organizations Suffered a Third-Party Security Incident in Past Year
Ponemon Institute and Imprivata study identifies lack of visibility, scarce internal resources, and immature security strategies serve as primary barriers to combatting third-party access risk
Waltham, Mass. – February 13, 2025 – Imprivata, the digital identity company for life- and mission-critical industries, today released new global research with the Ponemon Institute which found that 47% of organizations have experienced a data breach or cyberattack over the past 12 months that involved a third-party accessing their network, representing similar levels from when the study was conducted two years ago. Notably, 64% of respondents say these types of third-party data breaches will either increase or remain at alarmingly high levels over the next 12-24 months, indicating the problem is here to stay.
Titled “The State of Third-Party Access in Cybersecurity,” the report surveyed nearly 2,000 IT security practitioners worldwide and found increased awareness of the security risks associated with third-party access, likely due to organizations being impacted first-hand by a security incident. However, despite efforts to address third-party risk, it remains a challenge to do so based on inconsistent and immature security strategies. In fact, nearly half (48%) of organizations agree that third-party remote access is becoming the most common attack surface.
“Third-party access is necessary to conduct global business, but it is also one of the biggest security threats and organizations can no longer remain complacent,” said Joel Burleson-Davis, Senior Vice President of Worldwide Engineering, Cyber, at Imprivata. “While some progress has been made, organizations are still struggling to effectively implement the proper tools, resources, and elements of a strong third-party risk management strategy. Cybercriminals continue capitalizing on this weakness, using the lack of visibility and uncertainty across the third-party vendor ecosystem to their advantage.”
The far-reaching impact of third-party attacks
Of the organizations that experienced a data breach or cyberattack due to third-party access over the past 12 months, the biggest consequences suffered were the loss or theft of sensitive and confidential information (53%), regulatory fines (50%), and severed relationships with the affected third-party or vendor (49%).
Additionally, 34% say the attack involved the third-party having too much privileged access, down from 70% in 2022. This trend suggests that businesses are improving their ability to provide appropriate access levels to third parties, but there is still room to strengthen their overall security strategies within their organization.
Lack of visibility and insufficient resources create challenges in combatting third-party threats
As organizations try to respond to the looming third-party threat, they are struggling. More than one-third (35%) of respondents said they were unsure how the cyberattacks they suffered were perpetrated, a stark increase from just 2% in 2022. Organizations have limited visibility into how vendors are accessing their network, creating a massive blind spot.
In addition to lack of oversight, 41% of respondents say insufficient resources or budget are a top barrier to reducing third-party risk. In fact, 44% believe managing third-party permissions can be overwhelming and a strain on their internal resources, with organizations spending an average of 134 hours per week across IT and security teams analyzing and investigating the security of third-party access.
Today, most (58%) respondents believe their security strategy to address privileged access risks is inconsistent or non-existent, creating an immediate opportunity to address the issue head-on.
Burleson-Davis added: “Third-party attacks won’t stop, and no industry is immune to the issue. Automation, purpose-built capabilities and analytics can help IT teams gain greater visibility without extra burden, putting an end to the ongoing guessing game around third-party privileges.”
For more information, please download the full report here.
Methodology
Ponemon Institute surveyed 1,942 IT and IT security practitioners in the US (733), UK (398), Germany (573), and Australia (238) who are familiar with their organizations’ approach to managing privileged access abuse, including processes and technologies used to secure third-party and privileged end user access to their network and corporate resources. Industries represented in this research are healthcare, public sector, industrial and manufacturing, and financial services.
About Imprivata
Imprivata is the digital identity company for life- and mission-critical industries, redefining how organizations solve complex workflow, security, and compliance challenges with solutions that protect critical data and applications without workflow disruption. Its platform of interoperable identity, authentication, and access management solutions enable organizations in over 45 countries to fully manage and secure all enterprise and third-party digital identities by establishing trust between people, technology, and information. For more information, visit www.imprivata.com.