With the first anniversary of Europe’s General Data Protection Regulation coming late next month, a pair of new studies find that the law’s onerous penalties for failure to protect personal information haven’t produced much change in corporate data governance.

An annual audit published by data protection vendor Varonis Systems Inc. discovered that the average large company leaves about 17% of its sensitive files open for every employee to access. More than half of the companies that were audited had more than 1,000 sensitive files in the open and about the same percentage left more than 100,000 folders with effectively no access controls.

Separately a survey of 1,365 business and information technology managers in seven countries by Splunk Inc. found that respondents estimate, on average, that 55% of their data is “dark,” or unknown, despite the fact that 81% rate data as important to their organization’s success.

The Varonis report is based upon a sampling of 785 organizations the company audited as part of its business. Varonis uses automated processes to scan file and folder permissions as well as to identify keywords that might classify a document is sensitive.

The ghost of Active Directory

The analysis covered 54 billion files. In addition to establishing that access controls are weak in most organizations, the research also found that about 40% of companies have more than 1,000 active accounts in their access directories belonging to people who no longer work there and that 53% of an average company’s data is “stale,” meaning it’s out of date and should no longer be kept. Abandoned or “ghost” accounts are considered to be a prime cybersecurity vulnerability and stale data is a potential regulatory problem.

A comparison of the latest report to a similar study the company conducted last year revealed that access controls are actually getting worse. Varonis found that 22% of the folders it examined were exposed to everyone, up from 21% last year, and that the average company’s percentage of folders containing sensitive but easily accessible data jumped sharply to 53% from 41% in 2018.

“The average company has hundreds of millions of files and folders but not the tools and people they need to get their hands around the data,” said Brian Vecci, field chief technology officer at Varonis. He said one company was found to have 335,000 folders with global permissions but only a single person in charge of policing access. “It takes between two days and a week to fix a problem or a single folder,” he said. “You can’t put individual controls over half a million files.”

Tracking and regulating data is nearly impossible in most organizations, Vecci said. For example, personal data initially captured on a webform may then be copied into a spreadsheet that’s then emailed to multiple recipients, creating duplicate records that are impossible to audit. That’s how European corporations end up with, on average, 19 copies of each EU citizen’s personal information, according to the audit.

The ‘data-driven’ myth

The Splunk research didn’t attempt to verify the percentage of dark data held by responding companies but was intended to dramatize the paradox between the increasing drive by many organizations to be data-driven and their inability to get a handle on the data they own. The study found that 56% of respondents say “data-driven” is merely a slogan at their organizations while 44% give their companies mediocre scores on their ability to use data.

The percentage of dark data “is much larger than I would have thought,” said Splunk Chief Technology Officer Tim Tully. “There’s a lot of value that’s not being uncovered.”

The Splunk study demonstrates that business professionals have clearly gotten the message about the importance of data to the future of their companies and themselves. A nearly unanimous 98% said they believe data skills will be important to the jobs of tomorrow and 84% think that being a decision-maker in their organization requires strong data skills. While 92% said they’re willing to learn new data skills, a depressing 53% said they think they’re too old to do so.

The Splunk research also turned up some interesting geographic variables, particularly related to China. Just 15% of Chinese respondents said 75% or more of their organization’s data is dark, compared with 33% of all respondents and 36% in the United States. More than three-quarters of Chinese respondents rated themselves as having at least a very good understanding of artificial intelligence, nearly double the 42% of Americans who classified themselves that way.

Chinese respondents were also much more inclined to say that the threat of AI has been overstated and less likely to say that “data-driven” is just a slogan of their organization. China has set a goal for the country to become the world leader in AI by 2030.

Photo: Unsplash