Member Article
Varonis Report Reveals Excessive employee permissions exposing organisations
Varonis today revealed the results from the Varonis Data Risk Report, showcasing an alarming level of exposure for corporate and sensitive files across organisations, including an average of 20% of folders per organisation open to every employee.
Using the Varonis Data Security Platform (DSP), Varonis conducted over a thousand risk assessments for customers and potential customers on a subset of their file systems. The assessment provides insight into the risks associated with corporate data, identifies where sensitive and regulatory data resides, reveals over-exposed and high risk areas, and makes recommendations to increase their data security posture.
Additional key findings from the report include:
236.5 million folders containing 2.8 billion files, comprising 3.79 petabytes of data were analysed. Of that figure, 48,054,198 folders were open to “global access groups,” or groups that grant access to the entire organization. 47% of organizations had at least 1,000 sensitive files open to every employee; 22% had 12,000 or more sensitive files exposed to every employee. 71% of all folders contained stale data, accounting for almost 2 petabytes of data. 24.4 million folders had unique permissions, increasing complexity and making it more difficult to enforce a least privilege model and comply with regulations like General Data Protection Regulation (GDPR).
Failure to reduce the use of global access groups, lock down sensitive files and dispose of stale data exposes an organisation to data breaches, insider threats and crippling ransomware attacks. A recent Ponemon study found that 62% of end users say they have access to company data they probably should not see, and a Forrester Consulting study found that 59% don’t enforce a need-to-know permissions model for sensitive files.
Individual company risks identified during the assessments include:
35% of an insurance firm’s 86.4 million folders were open to every employee. 80% of a banking institution’s 245,575 sensitive files were accessible to every employee. Another banking institution had 11.6 million folders with unique permissions, complicating its efforts to reduce file access on a need-to-know basis.
“In data breaches and ransomware attacks, files are targeted because they are high value assets and usually vulnerable to misuse by insiders and outsiders that transgress the perimeter. While organisations focus on outer defences and chasing threats, the data itself is left broadly accessible and unmonitored,” said Ken Spinner, VP of Field Engineering at Varonis. “Organisations participate in our risk assessments because they understand the value of their data and the risk it poses for being stolen or abused. We applaud their efforts in taking the first step towards mitigating risk.”
“We found files with sensitive PII in places it should not have been,” said a Chief Security Officer for a state and local government in a recent TechValidate customer survey.
According to that same survey, 68% of end users perform a risk assessment to validate security concerns, 95% agree that the risk assessment helped them identify at-risk, sensitive and classified data and build a plan of attack to reduce the likelihood of a data breach, and 82% rate global access remediation a top priority after seeing the results.
“The initial assessment gets the immediate attention of management, which then assists in building and executing the internal remediation process,” said a Security Manager at a beverage company in the same TechValidate customer survey. “Varonis does an excellent job of identifying internal data security vulnerabilities.”
The Varonis Data Risk Report showcases the findings from a random sampling of 80 risk assessments conducted for customers and potential customers between January to December of 2016 across 12 countries and 33 industries, and within organisations with 50 to more than 10,000 employees. All organisational identifiers have been removed.
Additional Resources:
Read the full Data Risk Report: www.varonis.com/data-risk-report-2017.
This was posted in Bdaily's Members' News section by Varonis .
Enjoy the read? Get Bdaily delivered.
Sign up to receive our popular morning National email for free.