Uncontrolled user access is a weak link in corporate governance

Correct handling of corporate data is important not just to guard against security threats and data breaches, but to avoid the risk of regulatory fines and lawsuits too.

But a new report from secure erasing specialist Blancco Technology Group shows the two weakest links in a company's data governance program are uncontrolled user access to data (53 percent) and managing where data is stored (43 percent).

Data protection and regulatory compliance are further complicated by the fact that organizations are often too lenient in allowing employees to transfer data both inside and outside their organizations. For instance, 69 percent of the surveyed IT professionals admitted they allow employees to transfer data onto their personal mobile devices with only minor limitations and 33 percent allow employees to move data to cloud providers, such as Dropbox, without any restrictions at all. To make matters worse, 47 percent of organizations either have limited visibility or no visibility at all into how employees move data off site.

"The reality is that many organizations adhere to a 'storage is cheap, keep everything' mentality," says Richard Stiennon, chief strategy officer at Blancco Technology Group. "Data hoarding as a practice can be dangerous, as we saw during the Yahoo hack last year when hacker 'Peace' leaked four-year-old data from 200 million Yahoo accounts onto the dark web. Organizations need to learn that, as data ages, its usefulness declines. In actual fact, all retained data is a liability for discovery, breach, theft or loss. When its value is less than the liability, when customers demand it (i.e. closing out accounts) and when regulations require it, organizations need to permanently erase the data so it can never be recovered and result in another situation like the Yahoo breach."

The study also looks at how businesses classify their data. It finds 58 percent do so according to legal requirements, while 56 percent classify data based on how sensitive it is to unauthorized disclosure/modification and 43 percent classify it according to its perceived value to their organization. However, five percent don't know how data is classified inside their organization, while 13 percent either don't classify data or don't know if they do.

Data removal policies are an issue too, 13 percent of organizations don't securely erase digital files and folders that are no longer needed or used. On top of this, 16 percent don't have a data removal policy for when data is no longer needed and 22 percent don't have written data disposal/destruction policies to handle data that's no longer needed. All of which conflicts with the upcoming GDPR's 'right to erasure.'

You can find out more in the full report on the Blancco website.

Photo credit: Pakhnyushcha / Shutterstock