View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

Over 50% of Firms Have 1,000+ Exposed Files, Ghost Users, Stale Passwords

The financial services sector was the worst culprit; retail performed better

By CBR Staff Writer

More than half of all companies leave over 1,000 sensitive files accessible to every single company employee, causing serious data risk.

That’s just one takeaway from a major report published this week. The analysis is built around data risk assessments carried out by data security company’s Varonis’ engineers, for 700 companies across 30 industries.

Varonis’ customers on average analysed 70TB of data, the company noted, saying it found that 61 percent had over 500 users with passwords that will never expire, and 58 percent of companies found over 1,000 stale user accounts.

Data Risk: Ghost Users and Stale Passwords

“One year after the GDPR and nearly six months before the CCPA, companies continue to fall even farther behind,” said CTO Brian Vecci, whose company analysed 54 billion files for the report.

“The level of sensitive data exposure and oversubscribed access that most organizations are living with should set off alarm bells for corporate boards and shareholders.”

An average 22 percent of a company’s folders are accessible to every employee, according to the report.

Most organizations have applied permissions to more folders than they can realistically manage, Varonis noted: the average terabyte had almost 17,000 uniquely permissioned folders. To make matters more complicated, many of these permissions had “inconsistent” inheritance, or were malfunctioning: i.e. granting or restricting access incorrectly.

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

data riskReducing Data Risk: Pro Tip 

In addition to permissions, you can apply additional “preventive controls,” like encryption, through digital rights management (DRM), Varonis notes.

“If you’ve got accurate classification, this is a great extra step to mitigate some of the risk of data loss. These kinds of controls are typically defined broadly. For example: ‘No file should leave our protected network if it contains personal information.’ When organisations want to apply more granular access control, they’re back to making decisions about sets of data. Tighter DRM policies often end up aligning with folder access controls, so it’s important to keep them up to date.”

Retail organisations had the lowest number of exposed, sensitive files and seemed to do the best job of protecting their data overall. Financial services firms found the most exposed, sensitive files overall.

Rot Starts At the Top?

Who’s at fault when files go awry?  In a report published by McAfee today, IT professionals felt strongly that senior and C-level executives should lose their jobs if a data breach is serious enough, while a quarter think that they should absolutely lose their jobs after any breach.

It was clear why this was the case: a full 61 percent said their executives expect more lenient security policies for themselves, and 65 percent of those respondents believe this leniency results in more incidents.

Security technology, McAfee’s respondents noted meanwhile, continues to operate in isolation, with 81 percent reporting separate policies or management consoles for cloud access security brokers (CASBs) and Data Loss Prevention.

Read this: Exposed: Misconfigured Cloud Storage Leaves 1.5B Sensitive Files Up for Grabs


Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.