87% of companies lack data security
By Rob Sobers, software engineer, Varonis
When it comes to cybersecurity, one of the top concerns is the risk and vulnerability of sensitive data. Varonis has completed their annual risk assessment in efforts to provide organizations with guidelines for minimizing and reducing these risks.
The 2019 Data Risk Report is an analysis of almost 800 risk assessments conducted on data that includes email, files, and folders across various organizations and companies. At-risk and vulnerable data is identified, followed by recommendations to reduce these risks and vulnerabilities.
The information within the 2019 Data Risk Report is just one way that organizations can gain more insight into their cybersecurity strategies and what more they can do to improve data security.
Data Gathering Methods and Scope
Here’s an overview of how data was gathered, and the scope of data analyzed. Reports were chosen from 785 security assessments – analysts went through data that focused on risk and exposure, stale data no longer required for daily business operations, and users and password use.
The scope of the report covered over 30 different industries, including biotech, education, financial, government agencies, healthcare, and tech. Also examined included:
- Over 54 billion files
- 3 billion Folders
- 58 petabytes of data
- 7 million User accounts
- Over 13.4 billion files with global access
- 3,144 exposed and sensitive files per terabytes
The results of the 2019 Data Risk Report including the following key findings. This information can help your cybersecurity team come up with approaches and tactics for reducing your data security risks.
Risk and Exposure
Most organizations give users too much access to company files. Assigning global access gives employees access to all vulnerable and sensitive information, putting this data at risk. Global access also opens the door for cybercrime, giving attackers easy access to files that should be contained in tighter security.
Report findings show that 17% of sensitive files could be accessed by all employees and that 15% of companies had over 1 billion files accessible to each employee. As an average across the organizations studied, each employee had access to 17 million files.
Add to this that many of the files at risk were in violation of data privacy laws such as the GDPR (General Data Protection Regulation), PCI DSS (Payment Card Industry Data Security Standard), and HIPAA (Health Information Portability and Accountability Act).
Sensitive data that is exposed and at risk can cost your company not just money and trust, it can also irreparable harm to your reputation.
53% of company data is stale. Even though this data is no longer used, it still contains private and personal information about clients and customers as well as other sensitive business information, including finances. As with data still being used by an organization, this information is subject to privacy laws.
Other findings on stale data show that 87% of companies have over 1000 stale files that contain sensitive information and that 95% have over 100,000 folders that also contain private data. That amounts to 15,511 sensitive files that are stale for each terabyte.
The stale data an organization no longer needs should be dumped, otherwise, they open themselves up to liability if this data is obtained through a security breach.
Passwords and User Accounts
Many organizations are ignoring best practices for passwords and user accounts. In fact, 61% of companies have over 500 employees using passwords that never expire. And when it comes to user accounts, 40% of companies had stale user accounts that were still enabled.
Not changing passwords on a regular basis presents cyber attackers with a great opportunity to break into user accounts, giving them access to an organization’s sensitive business and customer information. Unauthorized access to these active accounts also opens an organization up to disruption of service from a DoS attack.
There is room for improvement across the board when it comes to reducing stale user accounts.
Takeaways from the Risk Report
The aim of the Risk Report is to give organizations tactics to increase security and keep data safe. Here’s what your company can do to up the ante when it comes to data security.
Organizations and companies most at-risk are ranked from highest to lowest based on the average percentage of sensitive files they have exposed:
- 21% – Financial services and manufacturing
- 15% – Biotech, healthcare, and pharma
- 14% – Energy and utilities, and retail
- 12% – Government and military
Minimize and Reduce Risk and Exposure
- Identify which users have been granted global access to sensitive data.
- Grant global access only to users who need to access this information.
- Apply controlled security access to users, minimizing their access to sensitive data.
Manage Stale Data
- Determine what is stale data and if it contains sensitive information.
- Dump or archive stale data you’re no longer using.
- Establish a schedule for retaining data before evaluating if it’s become stale information.
Manage Passwords and User Accounts
- Identify non-expiring passwords and change password policy.
- Identify and delete stale user accounts.
- Optimize your company’s ability to detect anomalies that don’t conform to security policies.
As per the 2019 Data Risk Report, there’s a lot of room where organizations can improve the security of their business and customer data. Most companies have some areas where their data is at risk and vulnerable to a security breach. Also, a huge concern is the number of companies that are in non-compliance with privacy and security regulations of customer information.
Your organization can use these security guidelines to strengthen your cybersecurity strategies so you can keep your data safe and secure.
About the Author
Rob Sobers is a software engineer specializing in web security at Varonis and is the co-author of the book “Learn Ruby the Hard Way.”