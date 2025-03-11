Ponemon Institute and Imprivata study shows UK organisations struggle to combat third-party risk due to lack of resources, limited budget, and no centralised control or ownership

LONDON, March 11, 2025, the digital identity company for life- and mission-critical industries, today released new researchwith the Ponemon Institute which found that 51% of UK organisations have experienced a data breach or cyberattack over the past 12 months that involved a third-party accessing their network, which is higher than the global average of 47%.

The report titled, "The State of Third-Party Access in Cybersecurity," surveyed nearly 400 IT professionals from UK organisations spanning healthcare, public sector, financial services, manufacturing, and other industries. The results revealed increased awareness of the security risks associated with third-party access. However, despite efforts to address third-party risk, it is still a challenge due to insufficient security strategies. In fact, nearly half (47%) of organisations agree that third-party remote access is becoming the most common attack surface.

"Third-party access is a critical vulnerability for UK organisations and leaders can no longer remain resigned to the current state we find ourselves in. Despite increased awareness of this threat, organisations are still struggling to effectively implement the proper elements of a strong third-party risk management strategy." said Joel Burleson-Davis, Senior Vice President of Worldwide Engineering, Cyber, at Imprivata. "Cybercriminals continue capitalising on this weakness, using the lack of visibility and uncertainty across the third-party vendor ecosystem to their advantage."

Of the organisations that experienced a data breach or cyberattack in the past 12 months, the biggest consequences suffered were the loss or theft of sensitive and confidential information (54%), regulatory fines (49%), and severed relationships with the affected third-party or vendor (47%).

In addition, the study reveals the extent of the problem facing healthcare when it comes to managing third-party access to key clinical systems, as 44% of healthcare organisations reported experiencing a breach resulting from giving too much third-party access in the last 12 months. The Synnovis breach and Change Healthcare breach, both in 2024, demonstrate just how serious the consequences can be- with reportedly over 6,000 UK appointments and procedures cancelled within just five weeks due the Synnovis attack.

The findings indicate this problem is here to stay, as 65% of respondents anticipate that data breaches caused by third parties will remain the same or increase over the next 12-24 months.

"No industry is immune to this attack vector and third-party attacks won't stop," added Burleson-Davis. "With more than half of UK organisations reporting a third-party access-related attack or breach, robust third-party access management strategies are imperative."

While organisations are taking steps to ensure appropriate access to their high-value data and assets, there is still much room for improvement as no more than 58% of respondents reported that they leverage discrete best practice principles to solve for consistent third-party risks.

As organisations continue to assess their vendor compliance and risk management policies, many are still struggling with resourcing and time constraints. Security teams must be clear, strategic, and intentional about where, how, and who they partner with to implement a third-party access compliance solution.

Methodology

Ponemon Institute surveyed 1,942 IT and IT security practitioners in the US (733), UK (398), Germany (573), and Australia (238) who are familiar with their organisations' approach to managing privileged access abuse, including processes and technologies used to secure third-party and privileged end user access to their network and corporate resources. Industries represented in this research are healthcare, public sector, industrial and manufacturing, and financial services.

