An audit of 80 organizations by data protection vendor Varonis Systems Inc. found that 20 percent of their sensitive files were sitting out in the open for any employee to access.

Varonis says the results underscore the difficulties many organizations encounter in applying file- and folder-level protection on Windows servers, in particular. An analysis of a sample of 236.5 million folders containing 2.8 billion files found that:

• More than 48 million folders – or 20 percent – were accessible to “global access groups,” which is basically everybody in the organization. One bank was found to have 80 percent of its more than 245,000 sensitive files accessible to every employee.
• Forty-seven percent of the companies that were audited had at least 1,000 sensitive files available globally; 22 percent had 12,000 or more sensitive files exposed.
• About 10 percent of folders had unique permissions, which are basically one-off authorizations granted for special cases. These make it difficult for a company to enforce security at a group level using a “least privilege” model, which gives people the lowest level of user rights that they can have and still do their jobs.

“Frankly, many companies don’t have any idea where they stand when it comes to availability,” said Ken Spinner, vice president of field engineering at Varonis. One real estate firm was found to have 80 percent of its more than 800,000 folders accessible to every employee and 71 percent of folders containing sensitive information were similarly exposed.

The findings are particularly compelling in light of growing awareness of the security threats posed by disgruntled or opportunistic employees and the potential damage of inadvertent exposure as dramatized by the 2014 Sony Pictures breach. A Ponemon Institute LLC study published last year found that nearly two-thirds of 874 incidents studied were caused by employee or contractor negligence.

For the purposes of the report, Varonis defined sensitive data as anything related to regulation, intellectual property, competitive information and privileged employee information. Varonis uses a multitiered applications to scan files to look for keywords that denote sensitive information.

Companies are often stunned when they discover how weak their protections on internal data are, Spinner said. “I think most people don’t even realize that this situation exists,” he said.

Employees know

Apparently a lot of employees do, however. A Ponemon research report commissioned by Varonis found that 62 percent of end users say they have access to company data they probably shouldn’t see. A Forrester Research report, also commissioned by Varonis, said more than 60 percent of data security professionals say their organization doesn’t properly restrict access to employee data with a least privileged model and 66 percent say their companies fail to properly classify unstructured data, which is the data mostly likely to contain intellectual property and strategic plans.

The problem isn’t confined to a particular geography or industry. The audit covered 12 countries, 33 industries and both small and large organizations.

The report also looked at stale data, or that which hasn’t been touched in the past six months. Varonis said 71 percent of all folders it examined contained stale data, and that over half of the nearly 4 petabytes  of data that were analyzed could be classified as stale. Old data can be a problem in regulated industries which strictly dictate retention and can create legal vulnerability in discovery proceedings.

File systems are often little understood, even by the administrators who oversee them, Varonis said. For example, as files and folders are moved around, protected folders deep in the file system “may contain users and permissions that are not visible at the higher levels, leading an administrator to mistakenly assume that permissions to a folder are configured correctly,” the report says. Other problems occur when people leave the company without having their Active Directory permissions revoked, passwords are assigned with no expiration conditions and duplicate or empty permission groups are created.

The best practice for protecting internal information is to use access groups and make no exceptions, Spinner said.

Image: Flickr CC