This week, Varonis, which specializes in solutions that protect against insider threats, issued a comprehensive report generated from risk assessments the company does over the year. This report pretty much showcased why most companies are breached. It is because they have ineffective security policies and their control over their own data is all but non-existent in many cases. For instance, an average of 9.9M, that is million, files per assessment is accessible by anybody who has employee access rights in the company. And we generally know that generic employee access rights haven’t been tightly managed in most companies, well, ever.
Granted, this is exactly the kind of problem Varonis is expert at solving, which is why it does this report, but the results are frightening.
Ransomware products include Reveton, Cryptowall, KeRanger, and likely the best-known, CryptoLocker and its derivatives. These products encrypt files and then the attacker asks for money in exchange for a key to get access to your files back. Most recently, a particularly nasty form of ransomware has emerged called Locky; this product spreads to all connected drives, encrypting pretty much everything. This massively increases the risk to the company if access isn’t restricted because an infected employee will spread the infection to every infected drive and all of those 9.9 million files identified in the opening paragraph.
This puts the following stats in perspective.
Average Scary Stats on Encryption Risk
The following stats are averages across all of the companies that were evaluated during the last year, which means that half of these firms were worse than this, and some likely far worse.
- The average folder size is 8.8 million files; if one employee with access to this folder is contaminated with Locky, all files would likely be encrypted.
- A whopping 28 percent of folders were accessible by every employee, meaning an average of 1.1 million folders could be encrypted by one contaminated employee: ANY contaminated employee.
- Thirty-one percent of the accounts, on average, were stale, meaning the related employee likely no longer worked at the company or was on some form of extended leave (over 60 days). These all could be insertion points for a variety of attacks.
- While this has more to do with litigation exposure, compliance and discovery, 2.8 million files had been untouched for six months or longer.
Specific Examples of Companies’ Ransomware Risk
In one company, every employee had access to all of 82 percent of the files. Effectively, one infection would put the firm out of business. In another company, two million files containing credit card, Social Security or account numbers were accessible to every employee, creating a huge breach risk. Another firm had 50 percent of the files with “everyone” permissions, definitely another going out of business scenario, and given that 14,000 folders had sensitive information, this would likely also be true of a more typical breach. Finally, one firm had 146,000 stale users or three times the total number of employees of the typical Fortune 500 company. If there was a breach, the top IT folks, particularly the CSO, would likely be gone as a result because avoiding a charge of negligence would be nearly impossible.
On a call with Varonis on this topic, additional stories were shared from this period and previously. Apparently, an admin who was upset (my guess) with their boss or the company was just randomly deleting important files they had access to. A CEO’s confidential folder was open to a huge number of employees, creating any number of problems with employees getting access to folders that had peer salary information in them. The worst was a casino, where almost every employee had access to most of the credit card information.
Wrapping Up: Protect Your Company from Ransomware Risk
Whether you use Varonis or some other firm in this space, getting control over the firm’s information in the face of increased breaches alone would seem prudent. Most of what I’m currently running into these days are insider threats, either from disgruntled employees or, more often actually, stupid mistakes -- and the result can be catastrophic. Now that ransomware has become a popular way to make a living, this is becoming even more critical; hospitals and even police organizations are being successfully blackmailed.
These frightening stats showcase that a lot of folks are currently at risk and a scary number of company could be shot down by one employee being successfully tricked to install something like Locky.
I’ll leave you with one more story. Back when I worked for IBM, I released a highly sensitive report critical of one of our major products. This report was leaked to our largest customer, who used it as a reason to stop doing business with us. The SVP of Sales personally asked that I be fired. Because I’d secretly implemented document tracking on everything I issued (and I owned security for my unit), we were able to trace this leak to the SVP’s office; he later left the company to join the competing firm that had, coincidentally, given that file to the customer. Varonis shared a somewhat similar story of an admin who was being fired for lying about deleting an important appointment, but tracking showed that it was actually her boss who had deleted the entry.
Sometimes document controls and tracking can save your job; they sure saved mine. Something to ponder over the weekend.
Rob Enderle is President and Principal Analyst of the Enderle Group, a forward-looking emerging technology advisory firm. With over 30 years’ experience in emerging technologies, he has provided regional and global companies with guidance in how to better target customer needs; create new business opportunities; anticipate technology changes; select vendors and products; and present their products in the best possible light. Rob covers the technology industry broadly. Before founding the Enderle Group, Rob was the Senior Research Fellow for Forrester Research and the Giga Information Group, and held senior positions at IBM and ROLM. Follow Rob on Twitter @enderle, on Facebook and on Google+