Light Dark
May 22, 2018 By Sue Poremba 3 min read
Data Protection
Identity & Access

Until recently, many of us likely never gave a second thought to the security of our personal data online. Then, when news broke on a largescale social media data breach, millions of users were suddenly outraged and demanded that their information be better protected.

While these scandals have been covered extensively in the media, they actually highlighted a problem that isn’t exactly unique. Almost every organization that holds customers’ critical data is guilty of not doing enough to protect this information.

Most customers don’t know who has access to their sensitive material. The bigger issue, however, is that those in charge of protecting this data may not know who has access either.

Welcome to the Critical Data Show

We like to believe that when we turn our personally identifiable information (PII) over to a company, it is only accessed by those who absolutely must see it. But that’s simply not true: On average, nearly one-quarter of all internal work folders are available to everyone within an organization, according to a 2018 report from Varonis Systems. Also, almost half of the surveyed companies had at least 1,000 sensitive files open to all employees.

Organizations are overwhelmed with unsecured and overexposed data — a problem of its own. Compounding the matter, most don’t realize how much sensitive information is at risk of compromise simply because the wrong person has access to more files than is absolutely necessary. When your critical data is open to everyone in the organization, any data security strategy you have in place to protect it is practically null.

“It only takes one leaked sensitive file to cause a headline-making data breach,” wrote Brian Vecci, technical evangelist at Varonis, in a company statement.

What Do Cybercriminals Want? Critical Data

When they gain access to PII and other sensitive files — such as proprietary research or corporate financial records — cybercriminals can perform a number of sinister acts. They could sell the information on the darknet or use it themselves to directly steal from your bank account. They could also use your research to develop knock-offs of your products or conduct identity theft. Just like burglars who ransack homes or offices, cybercriminals want to find the easiest way inside.

“Attackers take advantage of security missteps and shortcuts to gain access to secure systems and sensitive files,” wrote John Carlin, former assistant attorney general for national security, in the Varonis statement.

When too many people have access to sensitive files, it opens up more opportunities for a mistake to be made that leads to a breach. It also means that people can see information they shouldn’t be reading and can share that data (perhaps unknowingly) beyond its intended scope.

The 2017 Verizon Data Breach Investigation Report found that 58 percent of its security incidents are the result of insiders, with 33 percent of the incidents resulting from errors — and almost 30 percent from misuse of data. Much of this happens because the wrong people can access sensitive information. Having access to critical medical files across a wide spectrum of employees is necessary. However, when that access isn’t kept in check, it is easy to abuse or open the network to more nefarious actions.

Frightening Concerns: ‘Ghost’ Users and Stale Data

Organizations often continue to hold on to stale data or information that is no longer necessary for business operations. This information is likely no longer monitored. Not only is the company paying to store unneeded data, but it is also opening up this information to insider threats. A nosy or malicious insider could access old records or gather details about former clients or employees without anyone noticing.

Ghost users are also a problem: The Varonis report found that 46 percent of organizations had more than 1,000 users with passwords that never expire. Also, 34 percent of user accounts are enabled on average — but “ghost” users still have access to files and folders. In other words: An employee who has transferred to a new department or left the company still has network access. Again, the doors are left open for someone without permission to read critical data.

With the General Data Protection Regulation (GDPR) going into effect on May 25, organizations that do business with data subjects of the European Union (EU) will have no choice but to address the matter of who has access to critical data. And even if your company isn’t doing business with the EU, your customers want to know their privacy is being protected.

Do you know who can see the sensitive files on your network? If you can’t answer that, chances are PII and other critical materials are being seen by not only insiders but cybercriminals who are grateful for the easy access.

 |  | 
Sue Poremba

More from Data Protection
November 19, 2024

Communication platforms play a major role in data breach risks

4 min read - Every online activity or task brings at least some level of cybersecurity risk, but some have more risk than others. Kiteworks Sensitive Content Communications Report found that this is especially true when it comes to using communication tools.When it comes to cybersecurity, communicating means more than just talking to another person; it includes any activity where you are transferring data from one point online to another. Companies use a wide range of different types of tools to communicate, including email,…

November 8, 2024

SpyAgent malware targets crypto wallets by stealing screenshots

4 min read - A new Android malware strain known as SpyAgent is making the rounds — and stealing screenshots as it goes. Using optical character recognition (OCR) technology, the malware is after cryptocurrency recovery phrases often stored in screenshots on user devices.Here's how to dodge the bullet.Attackers shooting their (screen) shotAttacks start — as always — with phishing efforts. Users receive text messages prompting them to download seemingly legitimate apps. If they take the bait and install the app, the SpyAgent malware gets…

November 7, 2024

Exploring DORA: How to manage ICT incidents and minimize cyber threat risks

3 min read - As cybersecurity breaches continue to rise globally, institutions handling sensitive information are particularly vulnerable. In 2024, the average cost of a data breach in the financial sector reached $6.08 million, making it the second hardest hit after healthcare, according to IBM's 2024 Cost of a Data Breach report. This underscores the need for robust IT security regulations in critical sectors.More than just a defensive measure, compliance with security regulations helps organizations reduce risk, strengthen operational resilience and enhance customer trust.…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature