Third-party access is not an IT priority, yet it is a major source of data breaches.

Respondents believe their own organizations are secure from third-party data breaches but think their competitors are vulnerable to them.

Providing third-party access is complex and tedious, and has many moving parts.

IT professionals take data breaches personally but are not worried about losing their jobs due to a breach.

Even with all of the recent third-party breaches involving such notable brand names as CVS, Samsung, American Express and Experian, the survey revealed 62% of respondents do not expect their organization to be the target of a serious data breach due to third-party access, but 79% expect their competitors to suffer a serious data breach in the future.

Survey respondents admitted third-party access is an ongoing security challenge. While respondents did not believe their organizations were vulnerable to an attack through third parties, 56% had strong concerns about their ability to control and/or secure their own third-party access.

Three-quarters of respondents said it requires them to touch 5-to-14 network and application hardware and software components to provide third-party access.

The survey results highlight a disconnect between IT priorities and the need to mitigate third-party data breaches, Mark Carrizosa, the group's chair and Soha's chief information security officer and VP of security, indicated.

"The survey shows enterprises have vastly underestimated the resources required to deal with such breaches, even as their need to provide secure third-party access continue to grow," he said.

According to 55% of respondents, providing third-party access to new supply-chain partners or others was a complex IT project. On average, they said they have to touch an average of 4.6 devices, such as VPN, firewalls, directories and more.

Third-party access is not something that will go away; 48% of respondents saw third-party access grow over the past three years and 40% said they see growth continuing over the next three years.

"For business reasons, organizations are increasingly providing third parties with access to their IT infrastructure, but IT and security leaders really need to help their business leaders understand the risks of third-party access and take steps to help manage these risks to an acceptable level," Aberdeen Group Vice President and Research Fellow Derek Brink said.

The survey also asked IT professionals, "If a data breach occurred in your area of responsibility, would you feel personally responsible?"

Interestingly, 53% of respondents said they would because they felt it would reflect poorly on their job performance; however, only 8% thought they might lose their job if a data breach occurred during their watch.

The advisory group reported that although IT professionals take their jobs seriously, accountability for data breaches remains vague and this ambiguity might affect attitudes and behavior when it comes to ensuring that organizations are safe from outside threats.

"In a world of applications spread across public and private clouds and accessed by external users who are not your employees using devices you do not manage, providing secure third-party access is a very difficult problem," Symantec SVP, Information Protection Nico Popp said. "It takes a long time for IT to work through the moving parts. In fact, the lack of centralized control makes it virtually impossible for IT to govern and secure third-party access today."