The security threat posed by third-party vendors is far from diminishing. The Mobile Guardian breach in Singapore serves as one of many cautionary tales about the risks of outsourcing critical functions to third-party providers, as evidenced by the impact on 13,000 students. Recent research has also revealed that 98% of organisations have experienced a breach through a third party – with third-party attacks responsible for 29% of all breaches. This is worrying, especially as ransomware attacks hit a record high in 2023, with a 49% increase in victims globally compared to the previous year.
In today’s digital-first landscape, an organisation’s security is only as strong as its weakest link. With third-party identities becoming more deeply integrated into core operations, the potential for a breach has never been greater. As the number of individuals accessing an organisation’s resources increases, so too does the risk of compromised credentials, providing cybercriminals with potential entry points.
The expanding attack surface
For one, the use of contingent workforces has become increasingly prevalent across organisations due to the flexibility and access to specialised skills they provide. In fact, 65% of global business leaders reported plans to increase their use of contingent workers over the next two years, while 80% indicated they are already utilising them. This growing reliance often leads to more relaxed access management processes and insufficiently controlled access permissions, making organisations more susceptible to insider threats.
Insider threats can originate from current or former employees, as well as third-party vendors. While insider threats are often associated with malicious intent such as deliberate data theft or sabotage, they can also be accidental. For example, employees might fall victim to phishing attacks or social engineering tactics, leading to unintentional disclosure of sensitive information. In fact, research indicates that a staggering 85% of data breaches are caused by human error, often due to factors like inadequate training, careless actions, or weak security policies.
Not to mention, the growing adoption of AI is also introducing new risks related to third-party identities and data security. AI solutions often involve intricate ecosystems of interconnected components, many of which are provided by third-party vendors. Additionally, AI models require vast amounts of data to train and operate effectively, often leading to the sharing of sensitive data with external AI providers.
See also: 80% of AI projects are projected to fail. Here's how it doesn't have to be this way
With identities expected to grow roughly 14% in the next three to five years, organisations are facing a growing vulnerability to cyberattacks. Without advanced identity security measures, they risk the loss of customer trust, reputational damage and financial losses.
Why legacy identity management solutions are not enough
Legacy identity and access management (IAM) systems frequently lack a comprehensive view of user access across all business applications and are ill-equipped to handle the heightened security demands and influx of new identity types, particularly third-party identities.
See also: Responsible AI starts with transparency
This problem is exacerbated when data is dispersed between on-premises and cloud-based environments, making compliance even more difficult. Additionally, traditional IAM solutions may struggle to manage the vast number of access privileges distributed across different applications and environments.
This is particularly pronounced in the Financial Services Industry (FSI), a sector highly susceptible to cyberattacks. SailPoint’s recent 2024 State of Identity Security in Financial Services report revealed that on a global scale, 47% of FSIs have identified managing third-party identities as the top identity security challenge. FSIs that are struggling to manage a growing number of identities are exposing gaps in their access management processes, leading to breaches and compliance audit findings. The result? More attacks. Specifically in Singapore, where the FSI sector is among one of the most spoofed industries.
The growing complexity of distributed networks, coupled with heavy reliance on third-party tools and Software as a Service (SaaS) services, creates significant challenges in achieving cloud security. IT and security teams struggle to maintain effective access control and governance due to limited visibility and insights into access data. Furthermore, manual access management often leads to "over-provisioning" – granting more access than necessary, which can create security risks and non-compliance issues.
Securing the digital perimeter
What organisations need is a robust, enterprise-grade identity security programme to effectively manage their growing digital footprint and protect their sensitive data. This programme should ensure that only authorised individuals have access to necessary resources, especially as organisations need to manage a diverse range of identities, including devices, software bots, partners, and third-party users.
To efficiently manage these identities, organisations should leverage AI and ML-powered identity security solutions. These technologies can analyse vast amounts of data to detect potential threats, enabling organisations to respond more quickly and effectively. By tracking access patterns and flagging suspicious activities in real-time, organisations can gain a better understanding of their security needs and enhance their posture.
Furthermore, organisations should also focus on regularly monitoring and reviewing access privileges, while conducting thorough due diligence on potential contract workers and third-party service providers. This process should include verifying that third-party identities adhere to industry best practices and maintain a strong security posture. By conducting additional background checks, security clearances, or certifications, they can better protect themselves against breaches.
Ultimately, by adopting a proactive approach to identity security, a resilient organisation that is better equipped to withstand cyber threats can be built. Relying solely on vigilance is insufficient; businesses must invest in the right strategies, identity security measures and processes to safeguard their success.
Eric Kong is the managing director for Asean at SailPoint
