Research conducted by Varonis Systems, Inc. (NASDAQ: VRNS), the leading provider of software solutions for unstructured, human-generated enterprise data, found that over 50% of IT security professionals are not surprised that end users have access to more company data than they should have.
The survey, undertaken recently at the largest security conferences in Europe and the U.S., Infosecurity Europe in London and RSA Conference in San Francisco, followed a Ponemon Institute study that revealed 71% of end users say they have access to company data that they should not see. In the more recent survey, 17% of respondents said they believe the true number is actually higher.
According to the latest Varonis findings, 59% of respondents were not surprised that more than three-quarters of employees claimed their organisations couldn’t tell them what happened to lost data, files or emails. A further 21% said they believe the number to be worse than this. These results demonstrate organisations’ inability to keep their data secure, with the likelihood of a breach high and the potential for damage significant. When a breach does occur, either due to an attacker that has gotten inside or an employee leaving with sensitive information, organisations would not be able to assess the scope of damage, determine where their data has gone, who took it and when, and would most likely not notice the theft for weeks or months, if ever.
“It is scary to think that this many people consider it normal for employees to have access to data that they shouldn’t have and for companies to not know where their missing data has gone,” said David Gibson, VP at Varonis. “Data doesn’t need to be missing in order to be stolen. Most organisations don’t track or analyse user activity on their unstructured data, and this makes it far too easy for an insider or an attacker that has gotten inside to steal data without being noticed. Without the proper controls around unstructured data, companies are leaving themselves open for all types of trouble. Organisations and their IT departments must – at the very least – start watching and analysing user activity to spot unusual or unwanted behaviour. It’s just too easy to breach the perimeter of a network and there are so many people already inside. Practically speaking, with all the cloud services, mobile devices, remote employees and contractors, there is no perimeter anymore. We need to focus on the data assets that need protecting – making sure we understand where it’s stored, that only the right people have access, and that we can track and analyse use to spot abuse.”