A number of companies conduct surveys to determine how badly folks are doing in key areas related to their offerings. For Varonis, which specializes in managing data controls and access, the survey has to do with, yes, data control and access. Its latest survey released this week, the 2017 Varonis Data Risk Report, showcases that most firms still aren’t taking the risks associated with ransomware and state-driven hacking programs seriously. As a result, they are exposed to the kinds of breaches that could cost billions and even put many out of business. Sadly, things haven’t improved much from when I reported on Varonis’ survey last year. In fact, given that world hostility has clearly increased, our risks appear to be substantially higher.
This isn’t just a company problem, but a national one, because a state-sponsored attack could likely do enough damage so that the economy couldn’t easily recover. Several states are not only capable of this kind of attack, aiming at either data theft or destruction, they appear to be willing to carry them out.
Let’s talk about the results and why they doesn’t bode well for most corporations or the vendors they use.
The Problem with Excessive Access Breaches and Ransomware
It should be obvious at this point, but every folder and file an employee has access to is at risk if that employee’s ID and password are phished. It doesn’t even have to be the employee who screwed up. For instance, my ID on Xbox live was stolen as a result of someone convincing Microsoft support that they were me, my email address had changed, and I’d forgotten my password. It took me three years and a lot of effort to get that sorted out. You could be the most careful person in the world but all it takes is someone to redirect a password reset request. These things happen thousands of times every day and we don’t exactly put the best and brightest on help desks.
Ransomware is even worse because once on a system, it will encrypt aggressively every file and folder that the employee can access. This is frightening at a state-attack level because it is far more likely for a state like North Korea to plant the related executables but leave them dormant so that they can disrupt supply lines and infrastructure on a massive scale all at once. This is something that I think should be keeping a lot more folks awake at night.
On top of this, you also have the normal concerns over compliance with the various privacy laws all over the world, some of which can be business destroying if violated. Regulatory agencies like the SEC have no sense of humor when it comes to certain classes of leaks. And finally, the need to contain confidential information for competitive reasons so as not to give those competitors an unfair advantage.
Results: Yep, We Are Pretty Much Screwed
Be aware that these numbers come from samples, so the risks they suggest are far greater than the absolute sample results indicate. Use the percentages (assuming a valid sample) as a better indicator of the real risk. The Varonis survey was across 12 countries, 33 industries, and split nearly equally between firms below and above 1,000 employees. Base samples were 2.8 billion files comprising 3.79 petabytes of data that were analyzed. Of that, 48M folders out of 236M, or 20 percent, were available to all access groups; virtually every employee and every temp worker has access to 20 percent of the data in folders in companies. This sets what may be a minimum range for how much data could be destroyed or encrypted in large targeted companies (health care, defense, finance/banking, infrastructure, government) in a state-level attack. The reason I say minimum is that a state-level attack would also specifically target executive-level accounts in order to gain access to and damage as many mission-critical systems as possible.
Nearly half the companies sampled had at least 1,000 files classified as sensitive or higher that every employee could access. This could represent one of the most massive data breaches in history if all of these files were captured and released to WikiLeaks at once, and could be deemed a serious and material unplanned cost if the files were encrypted in a ransomware attack, particularly if there was no ransom (in a state-level attack, it is more likely the key would only be provided if the government was successfully forced to capitulate on a major position or military action). This would, and could, represent the opportunity for extortion at a national level.
On top of this, subjective responses indicated that 62 percent of those surveyed had excessive data access to files they didn’t have rights to see. Over 50 percent didn’t even have a “least privilege” policy in place (this is a policy that, when enforced, assures that employees only have access to what they need to access and only when they need to access it, in respect to files and data). And over 60 percent don’t bother to audit permissions to assure access is legitimate.
Some aspects of this survey showcased that firms were spending excessively on storing data. For instance, over 70 percent of the folders sampled contained stale data, a total of 2 Petabytes, or better than half the data sample. This suggests that firms are not only spending twice what they need to on data storage but this data represents a potential security risk, given that no one typically takes ownership for stale data, but it still represents a problem if compromised.
While a number of companies were called out for doing a great job of securing data access and permissions, realize that even these firms are at risk if trusted partners or vendors aren’t doing the same level of work. At IBM, the largest security test I was part of was supposed to be a showcase of how well IBM could protect its clients. It failed because the ex-spook (spy) hacker broke into a trusted partner easily and used that access to breach the otherwise impressively secure company.
Bad examples included an insurance company where every employee had access to over 30 percent of their total folders, a banking company that had 11.6 folders with unique permissions (nearly impossible to audit), a school with over 200K users who weren’t active and where passwords never expired, and an insurance firm with nearly 60 percent of its user passwords with no expiration. Each of these firms represents catastrophic potential that I doubt their senior management is even aware of, and a potential obvious charge of negligence for the IT organization in the face of a major breach.
Wrapping Up: Secure Your Systems, and Theirs
I’d say the good news is that if you aren’t in good shape with regard to controls over your data, you’re in good company. And in past decades, I’d even mean it. But with state-level threats hovering over almost every country, this level of exposure creates issues at a national level and the potential for a single connected trusted company to become the critical path for a nation-level attack. In that extreme example, liability would likely flow upstream and being fired would be the best-case outcome. Getting a better handle on our data is a nationwide problem. If this doesn’t improve, the eventual wake-up call may not be survivable by an impressively high number of firms. But I’m most concerned about pivotal common trusted suppliers that may not be secure. If they get compromised, they could hub out a problem the likes of which we have never seen. This isn’t just about fixing your own shop, but making sure suppliers that you can’t assure don’t have enough access to critically hurt your firm.
Wish I had better news. Here is hoping you get a handle on your own access issues before the crap eventually hits the fan.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+