More than half of all companies leave over 1,000 sensitive files accessible to every single company employee, causing serious data risk.

That’s just one takeaway from a major report published this week. The analysis is built around data risk assessments carried out by data security company’s Varonis’ engineers, for 700 companies across 30 industries.

Varonis’ customers on average analysed 70TB of data, the company noted, saying it found that 61 percent had over 500 users with passwords that will never expire, and 58 percent of companies found over 1,000 stale user accounts.

Data Risk: Ghost Users and Stale Passwords

“One year after the GDPR and nearly six months before the CCPA, companies continue to fall even farther behind,” said CTO Brian Vecci, whose company analysed 54 billion files for the report.

“The level of sensitive data exposure and oversubscribed access that most organizations are living with should set off alarm bells for corporate boards and shareholders.”

An average 22 percent of a company’s folders are accessible to every employee, according to the report.

Most organizations have applied permissions to more folders than they can realistically manage, Varonis noted: the average terabyte had almost 17,000 uniquely permissioned folders. To make matters more complicated, many of these permissions had “inconsistent” inheritance, or were malfunctioning: i.e. granting or restricting access incorrectly.

data riskReducing Data Risk: Pro Tip 

In addition to permissions, you can apply additional “preventive controls,” like encryption, through digital rights management (DRM), Varonis notes.

“If you’ve got accurate classification, this is a great extra step to mitigate some of the risk of data loss. These kinds of controls are typically defined broadly. For example: ‘No file should leave our protected network if it contains personal information.’ When organisations want to apply more granular access control, they’re back to making decisions about sets of data. Tighter DRM policies often end up aligning with folder access controls, so it’s important to keep them up to date.”

Retail organisations had the lowest number of exposed, sensitive files and seemed to do the best job of protecting their data overall. Financial services firms found the most exposed, sensitive files overall.

Rot Starts At the Top?

Who’s at fault when files go awry?  In a report published by McAfee today, IT professionals felt strongly that senior and C-level executives should lose their jobs if a data breach is serious enough, while a quarter think that they should absolutely lose their jobs after any breach.

It was clear why this was the case: a full 61 percent said their executives expect more lenient security policies for themselves, and 65 percent of those respondents believe this leniency results in more incidents.

Security technology, McAfee’s respondents noted meanwhile, continues to operate in isolation, with 81 percent reporting separate policies or management consoles for cloud access security brokers (CASBs) and Data Loss Prevention.

Read this: Exposed: Misconfigured Cloud Storage Leaves 1.5B Sensitive Files Up for Grabs