Survey finds non-employee and non-human identities leading to major security issues

Authored by Michael Conti, Product Marketing Manager

In true SailPoint fashion, we are always hungry to learn more. More about new technologies, security threats, market needs — the list goes on. So, we recently conducted a global survey of security & IT professionals and executives to better understand how companies manage non-employee and non-human identities and their respective access privileges.    

We found that 97% of companies provide access to non-employees, and nearly 9 in 10 provide access privileges to non-humans. However, 54% of executives surveyed revealed that inappropriate access granted to a non-employee or non-human has resulted in severe security issues such as loss of control of resources, data loss, compromised intellectual property, and direct security breaches.   

Takeaway: Providing access to non-employees and non-humans has become a standard business practice, but incorrectly granting and managing access poses a tremendous business risk.  

A key contributor to the risk is the dependence on manual steps to grant access to third-party non-employees, requiring actions and approvals from numerous employees. For example, 67% of companies require three or more individuals to provide access for non-employees and 30% need five or more people. All these handoffs create opportunities for process errors compounded by the fact that most are manually performed. Removing access is just as laborious with 83% requiring manual tasks to remove it.   

With so many people and steps involved, process ownership is often a mystery. So it’s no surprise that nearly 7 out of 10 companies stated they have issues with duplicate and orphaned identities.  

Regarding non-human identities, just 51% of companies know in real-time which non-humans are accessing their system. Half of the survey participants admit they have granted inappropriate access to non-humans, with an additional 14% unclear. And, just like with non-employees, giving access requires many employees and manual steps.   

Participants provided many different processes and policies for managing non-employees and non-humans, but the lack of consistency indicates immaturity in methodology, best practices, and tools.   

Simply put, the predominately manual approach to managing non-employee and non-human identities and access impacts businesses with short and long-term security issues and compliance risks while wasting IT and security resources. And nothing about that sounds good. 

Creating identities and granting access to non-employees and non-humans is a business necessity. The research, however, shows that this needs to be managed better.   

The risk of inappropriately privileged identities causing serious business issues is scary for many companies. And the stakes are only increasing with emerging threats like software supply chain security and identity-focused exploits. Companies need to find a better, automated solution to manage the cyber keys to their business.  

So, what’s the first step? Innovative organizations have turned to SailPoint’s Non-Employee Risk Management, a solution for non-employee and non-human identity management. It’s a purpose-built system that utilizes automation and allows internal and external users to collect identity data while onboarding a new non-employee to eliminate over-provisioning and reduce risk.  

Learn how SailPoint has helped enterprises make well-informed, risk-based decisions about access to their non-employees, ultimately reducing the risk of security breaches.