Editorial

Where are the open doors and what can they access?

Matthew Cooper, Client Director, Central Government at SailPoint, on how to solve the challenge of third party risk.

Posted 4 September 2024 by Christine Horton


Whichever way you turn, everybody is talking and writing about cybersecurity risks, threats, and ransomware. In the case of the latter, it is typically bad actors stealing data and then demanding outrageous sums of money for its return or non-release. But how did organisations get into the position where they could be held for ransom?

Typical scenarios might involve hackers breaking into systems, doors being left open due to poor coding, phishing emails, weak security postures, or negligence in managing passwords, network access, or applications.

A simple phishing email can open one of these doors and lead to credential theft. Why is this important? After access is gained, attackers can also pursue more entitled, risky access to resources and an ability to cause significant harm.

These attacks can lead to devastating citizen service disruption and damage their trust in critical infrastructure security. For example, the central bank is an essential part of critical infrastructure. According to a recent central bank customer, “For the good of the people of the country it all depends on good identity and access management processes,” said a cybersecurity design team leader. “We knew we couldn’t meet the levels of accountability and compliance we needed to if we didn’t have the appropriate tools in place.”  

In central government, there are thousands of contractors and service providers all working and providing critical services, but the biggest threat typically comes from within. Typically, this is because of a lack of security — people having access to applications and data that is not appropriate to their role.

Additional risk comes from ungoverned access to third parties. According to a recent report, Manual Approach to Managing Non-Employee and Non-Human Identities Leads to Security Risks, 97 percent of companies provide access to non-employees and 86 percent state inappropriate access has resulted in loss of control of resources, data, intellectual property, and more.

Very few organisations do not utilise third parties to provide services for their organisation, and the number of such organisations is rising. In some cases, the number of contractors per employer has risen by 48 percent with there being a total of 1.9 million contractors in the UK.

However, the processes to provide them with access are usually cumbersome, often involving HR, IT, an internal project manager acting as the non-employee sponsor, an external sponsor from the third-party itself, as well as the non-employee. This leaves an organisation lacking in the knowledge of how third parties are being utilised and what access they have.

Solving this challenge is fundamental to having a cohesive security plan but, as most solutions overlook it, there is a gaping hole in any security strategy that doesn’t address the non-employee conundrum. It is more comprehensive than just user authentication and password management.

Organisations can do more to reduce their attack surface. Identity security, also known as identity governance, is the security perimeter for workforce identities. A strong identity security programme can help organisations reduce risk and build resilience against credential compromise, outright theft, and third-party access risk.

Appropriate policies and procedures form an iron wall of defence. As part of this identity-first security focus, non-employees (such as contractors, partners, and outsourcers) should be considered as potential threats and form a fundamental part of an overall cyber security strategy.

If we now consider what the key fundamentals of a successful non-employee security solution should look like, then some key challenges need to be addressed, including:

  • Traditional solutions required every non-employee to be in the HR system, creating cumbersome internal processes reliant on numerous parties
  • Controls need to be delegated so organisational functions can manage their partners with ease and speediness
  • The full identity lifecycle needs to be managed rather than just managing authentication with uncontrolled access to systems
  • The user interface needs to be simple to allow ease of management by non-IT colleagues

SailPoint Non-Employee Risk Management provides a solution to this challenge. Download our infographic to learn more.

Event Logo

If you are interested in this article, why not register to attend our Think Digital Identity and Cybersecurity for Government conference, where digital leaders tackle the most pressing issues facing government today.


Register Now