I’d just been sent a Varonis study, written by the Ponemon Institute. “Corporate Data: A Protected Asset or a Ticking Time Bomb?” couldn’t be more timely. The danger in not taking data security seriously is growing.
Let’s talk about this report against those events this week.
Personal Interest in Data Security
I’m an ex-internal auditor (among a lot of other things), and when I worked in that field, we often found that executives just didn’t take security seriously enough, particularly with very sensitive data. One of my most internally famous audits was of a new division head, who had been outspoken about how we sucked at security and how much smarter he was on the subject. We discovered that he left the keys to his confidential safe (the thing with the company’s most valuable information in it) in an unlocked drawer in his secretary’s desk in reception (which wasn’t a secure area of the building), along with the master keys to everything else.
While this speaks to both the reason that I didn’t advance that well after that and how folks who live in glass houses really shouldn’t throw stones, it also dovetails with my experience over the years that we have blinders on when it comes to what we should be protecting. Just because we don’t want to protect things like email and user downloads, it doesn’t mean that this practice won’t bite us in the butt, Snowden-style.
Ticking Time Bomb Study
Going over the findings of the Varonis report reminded me of a large number of internal audit reports I’d written over the years, and it was kind of a bad trip down memory lane. Let’s take a look at some of the high, or in this case, low points.
Seventy-one percent of the users believe they have access to company data they should not be able to see, and over half say they see this unauthorized data frequently. Now, these are the users, who typically are pretty liberal with what they think they should have access to, so saying they access too much suggests that the real number is higher. This is an incredibly common bad practice of poor information classification and a lack of control. This alone would cause a division of most companies to fail an intellectual property security audit. In fact, as I read the report, I kind of wondered if any of the firms that were surveyed could pass a security audit, and doubted it.
Four out of five (that’s 80 percent) indicated that their firms didn’t enforce a strict least privileged security model. This is where the default is the lowest level of security access and each level above that needs specific approval, which often should come with time limits. This supports the theory that the 71 percent number above is too small, and the problem is dangerously close to existing in every company.
When email or information is lost, only around 22 percent of the folks surveyed said their IT organizations could tell them what happened to it. With some of the changes being proposed in the U.S. government, this could mean up to 80 percent of the companies in the U.S. would be required by law to make regular data breach disclosures.
A whopping 74 percent of respondents indicated that the cause of their firm’s data breach was employee mistakes, negligence or malice (two of these are potentially actionable and 67 percent indicated that they’d had a breach in the last two years).
And these are just some of the highlights. In the end, assuming the survey is representative, this is great news for those who trade in stolen data. For those missioned with protecting it, not so much.
Here is one final statistic: 60 percent indicated that they can’t find the information they need to do their jobs because it isn’t searchable. I saw something similar to this in a discovery review after a big unsuccessful law suit. The attacking entity, through discovery, actually got better access to the defending company’s data than the company itself had. The CEO clearly had a WTF response to this when it was disclosed.
Wrapping Up: The Data Security Problem Lurks
While Varonis’ study or any funded survey should be taken with some grain of salt, given that they are in the business to fix the problem, these studies highlight the recent news on data breaches. Likely, your own experience showcases that the problem isn’t fictional. Back when I was an auditor, I had a knack for determining whether a place was well run right in the opening meeting. Executives who didn’t take the audit seriously or thought they were untouchable rarely survived the experience. While that didn’t earn me a lot of friends, it also couldn’t have ended any other way.
As we speak, your employees are putting things in email, and downloading things they shouldn’t, and having trouble getting to the things they need, and you sure don’t want to be in a situation where the other side in a litigated matter has better access to information through discovery than you do.
I strongly recommend you survey your own folks and find out how bad this data security/data access problem is. Mitigate it before it becomes a major part of your firm’s history and your employment file.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+