Varonis, provider of software solutions that protect data from insider threats and cyberattacks, has just announced their findings after analysing a year’s worth of anonymoused data collected during risk assessments on behalf of certain customers and it looks as if a lot of organisations are over-exposed.
On average, companies held 9.9 million files on their systems that were accessible to every employee.
To put that in context, Varonis found the average company held 35.3 million files – meaning more than 1 in 6 of a company’s files are exposed to all employees.
Mass access by making files easily accessible means that staff can find and use resources quickly and easily. However, this is also true for hackers; once in, they can do their work quickly and easily. Not the best from a security angle.
There are some extremes – for example Varonis saw one instance where every employee could access 82% of the 6.1 million folders on their network. Another company had more than 2 million files containing sensitive data (credit card, social security or account numbers) that everyone in the company could access. If a hacker were to penetrate these organisations, say through spoofing or stolen credentials, it’s clear they’d have little difficult in finding some files they could make a quick buck off the back of. In one case, 50% of a company’s folders had “everyone” group permission and more than 14,000 files in those folders were found to contain sensitive data.
So why don’t these companies take security seriously? Often cited are the problems brought about by permissions stopping workers having immediate access to anything and everything. Others say it’s the cost of implementation. However with new regulations coming in, research like this shows many are a country mile from compliance and will need to take action.