• 51% of UK organisations experienced a cyberattack due to third-party access in the past year, according to new research.
• The figure exceeds the global average of 47%, highlighting a growing cybersecurity risk.
• Nearly half of organisations agree that third-party access is the most common attack surface.
• 65% of respondents expect third-party data breaches to remain the same or increase.
• Only 58% of companies apply best practice principles for managing third-party risks.

A new report has revealed a growing cybersecurity threat to UK organisations, with 51% experiencing a data breach or cyberattack involving third-party network access over the past year. 

This figure surpasses the global average of 47%, highlighting the growing risks posed by external vendors and partners.

The State of Third-Party Access in Cybersecurity study, from digital identity firm Imprivata and the Ponemon Institute, surveyed nearly 400 IT professionals across industries such as healthcare, finance, manufacturing, and the public sector. 

Despite increasing awareness of the security risks associated with third-party access, organisations continue to struggle with implementing effective security strategies.

Nearly half of respondents agreed that third-party remote access is now the most common attack surface, exposing critical vulnerabilities. 

Imprivata’s Senior Vice President of Worldwide Engineering, Cyber, Joel Burleson-Davis, warned that cybercriminals are actively exploiting these gaps, capitalising on a lack of visibility into vendor ecosystems.

While businesses are making efforts to address these risks, inadequate security frameworks leave them open to attack.

For organisations that suffered a breach in the past year, the consequences were severe. More than half reported the loss or theft of sensitive information, while 49% faced regulatory fines.

Another 47% saw relationships with third-party vendors severed due to security failures. The problem is particularly acute in healthcare, where 44% of organisations reported experiencing a breach caused by excessive third-party access. 

The 2024 Synnovis and Change Healthcare breaches served as stark reminders of the high stakes, with the Synnovis attack leading to over 6,000 cancelled medical appointments and procedures within five weeks.

The research suggests that third-party security risks are not diminishing anytime soon. A significant 65% of respondents expect third-party data breaches to remain at current levels or increase over the next two years.

Burleson-Davis stressed that no industry is immune and called for immediate action to strengthen third-party risk management strategies. Yet, despite the urgency, only 58% of organisations currently apply best practice principles to mitigate these risks.

Many companies continue to face challenges in resourcing and enforcing vendor compliance.

Time constraints and staffing shortages mean security teams must be strategic and intentional about their third-party risk management frameworks.

Ensuring secure access to high-value data and assets requires clear policies and stronger partnerships with vendors who prioritise compliance.

Without significant improvements, UK businesses will remain vulnerable to cyber threats that exploit weaknesses in third-party access controls.