A recent study has revealed that 54% of businesses experienced a third-party data breach in the past year, leading to rising costs associated with these breaches. The average cost of a data breach in the United States has now reached $4.45 million, marking a 15% increase over the past three years. The study suggests that third-party involvement is a significant contributing factor to these breaches.
While the term “third-party breach” may imply that the fault lies solely with the third party, this is not always the case. While it is crucial for organizations to carefully assess the security practices of potential partners and vendors, they must also focus on effectively securing and managing non-employee identities to minimize risk. As the severity and frequency of third-party breaches continue to escalate, implementing robust non-employee risk management practices will become increasingly important for businesses.
The volume of identities employed by organizations has surged in recent years, and this holds true for non-employee identities as well. According to a study by McKinsey, 36% of the US workforce now consists of gig, contract, freelance, and temporary workers, up from 27% in 2016. In addition to contract workers, businesses today collaborate with partner organizations, supply chain vendors, consultants, and other external entities, all of whom require varying levels of access to the organization’s digital environments.
The number of non-employee identities is substantial, especially considering the inclusion of non-human identities associated with the multitude of software-as-a-service (SaaS) applications that the average company utilizes. The average organization now relies on 130 different SaaS applications. To function within an organization’s digital environment, each non-employee entity requires properly provisioned identities, which must be managed effectively throughout their lifecycle to mitigate risk and prevent potential threats.
One of the major challenges in securing and managing non-employee identities lies in the onboarding process. IT and security departments often lack adequate information regarding the specific job functions of non-employee workers, making provisioning a challenging task. Due to the pressure to avoid hindering business operations, security teams may opt for granting excessive permissions, which can be risky. If a compromised identity possesses numerous permissions, attackers can cause significant damage.
The transient nature of non-employee workers further complicates the management of identity lifecycles. Orphaned accounts, where IT or security remains unaware of a contractor’s departure, pose a significant problem. These accounts, complete with their permissions and entitlements, can remain active indefinitely. Legacy permissions and duplicate accounts also pose serious threats. Constant reassessment of the permissions required by contract workers is essential, eliminating unnecessary entitlements. Nonetheless, managing hundreds or thousands of non-employees can be a significant challenge, albeit an essential one when managing non-employee risk.
To address these challenges, organizations require a comprehensive solution capable of visualizing all non-employee identities through a single dashboard. Furthermore, the solution should clearly outline the permissions and entitlements associated with each identity. Incorporating automated features streamlines the provisioning of new accounts and the decommissioning of older ones.
Additionally, creating predefined roles for specific positions can expedite the onboarding process and enhance security. When a new non-employee begins work, their permissions should have a predetermined end date. It is vital to assign an internal “sponsor” to each non-employee worker, someone who understands the necessary permissions for their role and is responsible for notifying IT about any changes in their status. It is equally important to track changes in sponsorship, such as when a sponsor leaves the organization or assumes a new position.
Furthermore, an effective non-employee risk management solution should facilitate the revalidation process. Regular checks should be conducted to verify the continued presence of non-employees within the organization. This may involve sending monthly notifications to each non-employee’s sponsor to confirm their status.
The system should also monitor the active use of permissions and promptly notify IT and security teams if an identity appears dormant or is overprovisioned with unnecessary entitlements. Ensuring that identities possess only the required entitlements and avoiding orphaned accounts are key elements of non-employee risk management.
As organizations increasingly rely on contract workers, third-party vendors, SaaS applications, and other non-employee entities, adopting a modern approach to non-employee risk management is no longer optional; it is essential to protect the organization’s sensitive data.
About the Author:
Ben Cody brings over 30 years of experience in building and delivering enterprise software products, as well as leading innovative and efficient product organizations. In his role as SailPoint’s Senior Vice President of Product Management, Ben oversees the company’s product strategy, roadmap, and delivery. Prior to joining SailPoint, Ben held senior product management roles at Digital Guardian and McAfee. His expertise spans identity and access management, data protection, threat detection, cloud security, and IT Service Management. Ben holds a B.A.A. in Management Information Systems from the University of Oklahoma. When he is not focused on building products that protect identities, he enjoys winegrowing passionately.