Notifications
Clear all
Topic starter
25/06/2026 10:44 pm
TL;DR: Nearly half of organisations experienced a third-party breach in the past year, and 34% of those breaches involved vendors with too much privileged access, with related incidents averaging $88,000 in cost, according to Imprivata. The deeper issue is that vendor oversight, access inventory, and accountability still do not extend far enough into fourth-party relationships.
NHIMG editorial — based on content published by Imprivata: Third- and Fourth-Party Blind Spots Linked to $88K Average Breach Cost
By the numbers:
- Nearly half (47%) of organizations experienced a breach involving a third party in the past year.
- 34% were due to vendors having too much privileged access, with each related breach costing an average of $88,000.
- 59% of organizations do not monitor third-party access at all.
Questions worth separating out
Q: What breaks when vendors have privileged access that is broader than their task?
A: Broad vendor privilege turns a supplier relationship into a high-impact intrusion path.
Q: Why do fourth-party relationships make third-party risk harder to manage?
A: Fourth-party relationships hide the identities that actually touch your environment.
Q: How do security teams know whether vendor access is truly under control?
A: They should be able to answer four questions quickly: who has access, why they have it, when it expires, and who can revoke it.
Practitioner guidance
- Build a complete third-party and fourth-party access inventory Record every external vendor, subcontractor, support tool, and delegated service that can reach production or sensitive data.
- Replace broad vendor access with task-scoped entitlements Move external users off shared VPN-style access and onto named, time-bound credentials with least privilege permissions.
- Separate vendor approval from downstream identity approval Do not assume that approving a primary vendor covers subcontractors or connected tools.
What's in the full article
Imprivata's full analysis covers the operational detail this post intentionally leaves for the source:
- The vendor-side breakdown of how third-party and fourth-party exposure was measured across organisations.
- The access governance recommendations for replacing broad VPN access with fine-grained controls.
- The regulatory context behind DORA, NIS2, HIPAA, and FTC pressure on vendor access oversight.
- The discussion of vendor privileged access management and AI-driven analytics as oversight tools.
👉 Read Imprivata's analysis of third- and fourth-party breach risk →
Third- and fourth-party access risk: what IAM teams need to fix?
Explore further
25/06/2026 11:24 pm
Third-party access governance fails when organisations treat vendor trust as a one-time decision. The article shows that many teams vet vendors but do not maintain continuous control over the identities those vendors use. That is not a procurement issue alone; it is a lifecycle problem spanning approval, monitoring, and offboarding across external identities. Practitioners should treat third-party access as an identity programme, not a contract appendix.
A few things that frame the scale:
- 72% of organisations have experienced or suspect they have experienced a breach of non-human identities, according to The 2025 State of NHIs and Secrets in Cybersecurity.
- 91% of former employee tokens remain active after offboarding, leaving organisations vulnerable to potential security breaches.
A question worth separating out:
Q: Who is accountable when a vendor or subcontractor causes a breach?
A: Accountability sits with the organisation that granted or failed to govern the access, even if the compromise occurred through a vendor or fourth party. Contracts matter, but operational control matters more. Security leaders need clear ownership for approval, monitoring, and revocation so that third-party access is managed as an internal control domain.
👉 Read our full editorial: Third- and fourth-party blind spots are raising breach costs
