Second-annual report by SecureLink and Ponemon Institute notes that the financial impact of cyberattacks averaged $9M.
Austin, TX — SecureLink, a leader in critical access management, and Ponemon Institute today released a new report titled “Treading Water: The State of Cybersecurity and Third-Party Remote Access Risk,” which reveals that organizations have made no significant progress in mitigating cyberattacks and have, in fact, experienced an increase in third-party attacks over the past year.
The report highlights that while the pandemic-accelerated adoption of cloud-enabled solutions and remote access have transformed industries, organizations’ security strategies lag behind these new technologies. Almost 60% of organizations have made changes to their cybersecurity structure in response to an increasing volume of cyber threats. Despite this, 49% of these organizations have experienced third-party attacks in the past 12 months compared to just 44% in the prior 12 months.
“The larger trend of moving to SaaS and cloud technologies means more organizations rely on third parties for core business practices, which in turn opens them up to greater cyberattacks,” commented Joel Burleson-Davis, SecureLink’s Chief Technology Officer. “What this report makes very clear is that third-party access and control is something every single company has to solve. And while no single software can solve all of today’s cybersecurity problems, upfront investment in trusted solutions that secure all access points and integrate with existing technology, will always pay off—especially when the cost of cyberattacks is so high.”
One of the biggest barriers to meaningful cybersecurity reform is the growing complexity of security strategies, with 67% of organizations reporting that the complexity of a system is a primary consideration when determining how they can improve their cybersecurity infrastructure. Limited budgets and labor shortages, which have made it difficult to hire and train expert personnel, are also preventing organizations from making improvements to their security strategies.
“In a constantly evolving third-party threat landscape, organizations need to be proactive and innovative in their approach to preventing cyberattacks and data breaches,” said Dr. Larry Ponemon, chairman and founder of Ponemon Institute. “Limited cybersecurity budgets and not having the desired level of in-house expertise require organizations to invest wisely in those practices that address gaps in their third-party remote access security practices. Most importantly, these include having a comprehensive inventory of all third parties with access to their networks and defining and ranking the levels of risk to sensitive information.”
The report outlines specific challenges organizations are grappling with as they attempt to respond to a clear uptick in cyberattacks and new vulnerabilities brought on by digital transformation. Key findings include:
- Rising cyber threats: Over the last year, organizations have had to adapt to an increasing volume of threats, with 75% of respondents stating they have seen a significant increase in security incidents in the past 12 months, most often due to credential theft, ransomware, DDoS and lost or stolen devices.
- Too much access and too little monitoring: 70% of organizations state that a third-party breach came from granting too much access. At the same time, 50% of organizations don’t monitor access, even for sensitive and confidential data, and only 36% of respondents document the level of access for both internal and external users.
- Resistance to security automation: 51% of organizations are increasing their automated monitoring of security threats. However, 64% of organizations still rely on manual monitoring procedures, costing an average of seven hours per week to monitor third-party access.
- Underreporting of third-party data breaches: Respondents reporting their organization had a third-party data breach increased from 51% in 2021 to 56% in 2022. However, only 39% of respondents say they’re confident that the third party would notify them if the data breach originated in their organizations.
- Limited cybersecurity budgets: Over half of organizations are spending up to 20% of their budget on cybersecurity, yet 35% still cite budget and resources as a barrier to strong security. Resulting breaches have an average financial impact of over $9 million, not counting damage and theft of assets and infrastructure.
- Weak vendor audits: Organizations continue to rely upon contracts to manage the third-party risk of vendors with access to their sensitive information with 60% relying on the third party’s business reputation alone.
The report recommends that organizations adapt to today’s changing security environment by reducing the complexity of their cybersecurity infrastructure, improving internal governance, and enhancing oversight practices. Further insight from highly effective organizations demonstrates that assigning individuals to manage third-party risk, comprehensive documentation of network access, and ensuring security compliance are all essential for strong cybersecurity preparedness.
The study was conducted by Ponemon Institute on behalf of SecureLink and includes responses from 632 IT and security professionals engaged in their organization’s approach to managing remote third-party data risks. Respondents are based in the United States, spanning five industries, including financial services, healthcare, education, and industrial and manufacturing.
To view the complete findings and download the “Treading Water: The State of Cybersecurity and Third-Party Remote Access Risk” report: https://www.securelink.com/research-reports/the-state-of-cybersecurity-and-third-party-remote-access-risk/.
SecureLink is the industry leader in critical access management, empowering organizations to secure access to their most valuable assets, including networks, systems, and data. By leveraging Zero Trust principles, machine learning, and artificial intelligence, SecureLink provides comprehensive security solutions to govern, control, monitor, and audit the most critical and highest risk access points. Organizations across multiple industries — including healthcare, manufacturing, government, legal, and gaming — trust SecureLink to secure all forms of critical access, from remote access for third parties to access to critical infrastructure, regulated information, IT, and OT. For more information visit: www.securelink.com.
Codeword for SecureLink