Notifications
Clear all
Topic starter
25/06/2026 10:44 pm
TL;DR: 47% of organisations experienced a third-party breach in the past year, according to Imprivata data, while 34% of those incidents were tied to vendors with excessive privileged access, underscoring how downstream access paths now drive breach exposure. Visibility, centralised inventory, and tighter identity controls matter because supply chain trust breaks where accountability stops.
NHIMG editorial — based on content published by Imprivata: Third- and Fourth-Party Blind Spots Escalate as Vendor Access Gaps Undermine Cyber Resilience
By the numbers:
- Nearly half 47% of organisations experienced a breach involving a third party in the past year.
- 34% were due to vendors having too much privileged access.
Questions worth separating out
Q: How should security teams govern vendor access that extends into fourth parties?
A: Security teams should govern vendor access as an identity lifecycle problem, not a supplier checklist.
Q: Why do third-party breaches so often involve privileged access?
A: Third-party breaches often involve privileged access because external accounts are frequently granted broad, persistent reach to get work done quickly.
Q: What do teams get wrong about fourth-party risk?
A: Teams often assume that if the direct vendor is approved, the access chain is controlled.
Practitioner guidance
- Build a complete external identity inventory Record every vendor, subcontractor, and unmanaged tool with access to internal systems, including the systems reached, the account type used, and the business owner responsible for it.
- Replace broad vendor access with named, time-bound entitlements Eliminate shared or standing external access where possible, and require named user authentication, least privilege, and expiry conditions for every privileged vendor path.
- Extend access reviews to fourth-party paths Ask vendors to disclose downstream access chains and require revalidation of subcontractor and tool-based access during each recertification cycle.
What's in the full article
Imprivata's full article covers the operational detail this post intentionally leaves for the source:
- A fuller breakdown of the third- and fourth-party breach patterns behind the data, including the specific access-control failures that recur.
- The article’s discussion of vendor privileged access management and why current oversight practices leave blind spots in outsourced environments.
- The regulatory context behind third-party access governance, including DORA, NIS2, and related pressure on vendor controls.
- The vendor's recommendations for moving from broad trust relationships to named, time-bound, least-privilege access models.
👉 Read Imprivata's analysis of third- and fourth-party access risk →
Third- and fourth-party access risk: what IAM teams are missing?
Explore further
25/06/2026 11:25 pm
Third-party access is now an identity governance problem, not just a procurement problem. The article shows that organisations can no longer rely on vendor questionnaires and contractual assurances once external identities are allowed into production systems. The security failure begins when access is granted without the same lifecycle discipline applied to internal privileged accounts. Practitioners should treat external access as governed identity, not as a one-time supplier checkbox.
A few things that frame the scale:
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 62% of all secrets are duplicated and stored in multiple locations, causing unnecessary redundancy and increasing the risk of accidental exposure.
A question worth separating out:
Q: Who is accountable when a vendor or subcontractor account is misused?
A: Accountability should sit with the organisation that granted the access, because it owns the entitlement, the review process, and the revocation path. Vendors can have shared responsibility, but the relying organisation still has to prove that access was justified, limited, monitored, and removed when no longer needed.
👉 Read our full editorial: Third- and fourth-party blind spots are weakening vendor risk controls
