Overexposure of data leaves organizations at risk
Excessive employee permissions are exposing organizations to insider threats, ransomware and other risks according to the findings of a new report.
Using its Data Security Platform, threat prevention specialist Varonis conducted over a thousand risk assessments for customers and potential customers on a subset of their file systems totaling over 236 million files and 3.79 petabytes of data.
The study reveals that 47 percent of organizations have at least 1,000 sensitive files open to every employee, while 22 percent have 12,000 or more sensitive files exposed to every employee. An average of 20 percent of folders in all organizations are open to all employees.
An additional risk comes from the fact that 71 percent of all folders contain stale data, accounting for almost two petabytes of information. Some 24.4 million folders had unique permissions, increasing complexity and making it more difficult to enforce a least privilege model and comply with regulations like GDPR.
"In data breaches and ransomware attacks, files are targeted because they are high value assets and usually vulnerable to misuse by insiders and outsiders that transgress the perimeter. While organizations focus on outer defenses and chasing threats, the data itself is left broadly accessible and unmonitored," says Ken Spinner, VP of field engineering at Varonis. "Organizations participate in our risk assessments because they understand the value of their data and the risk it poses for being stolen or abused. We applaud their efforts in taking the first step towards mitigating risk."
The report also identifies risks at individual companies, these include 35 percent of an insurance firm's 86.4 million folders that were open to every employee, and 80 percent of a banking institution's 245,575 sensitive files being accessible to every employee. Another banking institution had 11.6 million folders with unique permissions, complicating its efforts to reduce file access on a need-to-know basis.
With GDPR on the horizon underlining the need for privacy by design, it's important for companies to take control over their data and who can access it. Matt Lock, director of sales engineers at Varonis UK says, "Arguably your most valuable asset is your data, GDPR is a great opportunity for organizations or IT departments to be able to get funding for projects that they've been wanting to do for a long time. They know their active directory has been mismanaged, they want to get rid of stuff they’re not using anymore, they want to implement retention policies, they want to lock down permissions. So GDPR is a fantastic driver for companies to get budgets to do these things."
The full report is available on the Varonis website and there's an infographic summary of the findings below.