Files remain overexposed and unprotected

Varonis Systems has released a report revealing alarming insight into the prevalence and severity of overexposed and unprotected files and emails on corporate networks worldwide. Most notably, the study, Data Under Attack: 2018 Global Data Risk Report from the Varonis Data Lab, found that on average, 21% of a company’s folders were accessible to every employee, and 41% of companies had at least 1,000 sensitive files open to all employees.

 

The report, based on analysis of Data Risk Assessments conducted by Varonis in 2017 for customers and potential customers on their file systems, shines a spotlight on several issues that put organizations at risk from data breaches, insider threats and crippling ransomware attacks, such as:

 

• Oversubscribed and global access groups giving far too many employees access to sensitive data
• Unmanaged stale and sensitive data regulated by SOX, HIPAA, PCI, GDPR and other standards
• Inconsistent and broken permissions that open security loopholes for hackers
• “Ghost” users that can log in to their accounts and access information despite being inactive
• User passwords that never expire

 

Findings from the report include:

 

• 58% of organizations have more than 100,000 folders open to all employees
• 21% of folders were accessible to every employee
• 41% of organizations had at least 1,000 sensitive files open to all employees
• On average, 54% of an organization’s data was stale, which adds to storage costs and complicates data management

?   On average, 34% of user accounts are enabled, but stale, “ghost” users who still have access to files and folders

?   46% of organizations had more than 1,000 users with passwords that never expire

 

“Too many organizations are drowning in an ocean of unsecured and overexposed data, yet have little or no indication that they’re in danger,” said John Carlin, former Assistant Attorney General for the U.S. Department of Justice’s National Security Division and currently chair of Morrison & Foerster’s global risk & crisis management practice. “Attackers take advantage of security missteps and shortcuts to gain access to secure systems and sensitive files. Posing as insiders, they can take their time perusing critical information for political, personal and economic gain -- in fact, some of the biggest breaches in history resulted from unrestricted user access.”

 

“The Varonis Data Risk Report speaks to the ongoing and increasing need for continued diligence in executing business-aligned security programs,” says Optiv Chief Marketing Officer Peter Evans. “Assessing a company’s business requirements first, and starting with an “inside-out” view on risk, can identify and prioritize gaps in security program execution across tools, processes – such as global access – and data. Technology can automate these processes, for both detection and remediation – thereby optimizing security, while increasing efficacy.”

 

“It only takes one leaked sensitive file to cause a headline-making data breach,” said Varonis Technical Evangelist Brian Vecci. “And we’re seeing hundreds of thousands of exposed sensitive folders in our risk assessments. Executives and board members are starting to understand how much of their data is at risk, and they need to know these exposed folders can be fixed. We’ve seen how one unpatched server can lead to a disaster; a single “unpatched” folder can be just as disastrous, and it doesn’t take an expert or sophisticated code to exploit it.”