Organizations Aren’t Limiting Access to Sensitive Data

Protect the data. That’s the current battle cry of so many security professionals, and it’s easy to see why. With so many endpoints now connecting to the network, and with issues like shadow IT and BYOD and IT struggling to determine every device or application accessing files, focusing directly on protecting the data makes a lot of sense.

One of the best ways to protect the data, security pros say, is to limit access to those sensitive files. When I ask anyone what their best practice advice is for better data protection, the answer is always encryption first and keep access of the data confined to only those who absolutely need it.

However, a new study from Varonis shows that we aren’t doing a very good job at protecting the data or limiting access. Nearly half of the respondents (47 percent) admit that they have at least 1,000 sensitive files open to every employee and 71 percent of all folders contained stale data, accounting for almost 2 petabytes of data.

Surely, so many sensitive files don’t need to be made available to every person in the company. And the key word there is sensitive, which could assumedly include financial information, customers’ personal information or intellectual property. Allowing so many to have access to sensitive files opens that many more doors for hackers to find a way in. As for all that stale data, you have files that don’t need to be on your network at all and one data breach could end up compromising thousands of files (as well as open up customers and employees to identity theft) unnecessarily. Ken Spinner, VP of field engineering at Varonis, told BetaNews just how damaging all of that unfettered access to sensitive information can be:

In data breaches and ransomware attacks, files are targeted because they are high value assets and usually vulnerable to misuse by insiders and outsiders that transgress the perimeter. While organizations focus on outer defenses and chasing threats, the data itself is left broadly accessible and unmonitored.

A previous Varonis study may help explain why organizations aren’t doing a better job limiting who has access to certain pieces of data. It found that 62 percent of organizations don’t know where their sensitive data resides, 60 percent do nothing to restrict access with at least a privileged model, and 64 percent don’t audit for abuse of customer data. David Gibson, vice president of strategy and market development for Varonis, told SC Magazine:

Organizations that take a more thoughtful approach are focusing on their data, and approaching its security more like they approach the security of their financial assets – putting them in secure places, granting access to only those who need it and monitoring all the ‘transactions’ to detect fraud or misuse.

If you want to keep your data from being compromised, you have to protect your data. That includes knowing where sensitive data is stored and knowing who has access to it.

Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom’s Guide. You can reach Sue via Twitter: @sueporemba