The latest Ponemon-Sullivan Privacy Report has dropped, and its findings should be a wake-up call for cybersecurity professionals navigating the escalating risks around privileged access. The report, "Uncovering the Risks of Privileged Access by Insiders and Third Parties,"—sponsored by Imprivata—offers a deep dive into how excessive and unmanaged access is undermining security posture across industries.
With nearly half of organizations surveyed reporting breaches tied to internal or third-party access, the message is clear: privileged access is a frontline vulnerability, not just an administrative concern.
1. Breaches are happening—and they're costly
47% of organizations experienced a data breach involving third-party access.
44% reported breaches tied to internal users with privileged access.
The average annual cost of dealing with these incidents? A whopping $88,000 in detection, response, and recovery—per breach.
These numbers paint a picture of systems that are vulnerable by design, not by accident. It's not just a policy problem—it's an architectural one.
2. Excess access is rampant
One of the report's most damning statistics: 34% of third-party users and 45% of internal users had more access than necessary to do their jobs.
This over-privileging flies in the face of the Principle of Least Privilege (PoLP)—a foundational concept in access management. It also exposes organizations to unnecessary risk, especially when those with excessive access aren't being actively monitored or offboarded in a timely fashion.
3. We know it’s a problem… but we're underinvesting
Despite recognizing the risks:
Organizations spend only 25% of their IT security budget on managing privileged access.
Only 46% of respondents said they regularly monitor provisioning systems.
A mere 41% said they provide adequate training to privileged users.
This disconnect between risk awareness and resourcing is a red flag for cybersecurity leaders.
As a security leader, this report reinforces what you probably already suspect: privileged access is the soft underbelly of your security strategy.
Here's what to take away.
Inventory everything:
Maintain a real-time, accurate inventory of who has privileged access—including internal and external users. This isn't just a best practice; it's an operational imperative. Shadow access and outdated entitlements are major risk multipliers.
Verify every request.
Grant temporary, scoped access.
Use MFA, session monitoring, and continuous behavioral analysis.
The report's findings present a sobering reminder: access is the new perimeter. The organizations that treat privileged access as a top-tier risk will be the ones that avoid becoming headlines. For CISOs and cybersecurity leaders, this is the moment to align access strategy with actual threat posture—and finally close the privilege gap.
The Ponemon-Sullivan Privacy Report is the work of author and independent journalist Bob Sullivan and Dr. Larry Ponemon, Chairman and Founder of the Ponemon Institute, a research think tank dedicated to advancing privacy and data protection practices. Dr. Ponemon is considered a pioneer in privacy auditing and the Responsible Information Management (RIM) framework.