Until recently, many of us likely never gave a second thought to the security of our personal data online. Then, when news broke on a largescale social media data breach, millions of users were suddenly outraged and demanded that their information be better protected.
While these scandals have been covered extensively in the media, they actually highlighted a problem that isn’t exactly unique. Almost every organization that holds customers’ critical data is guilty of not doing enough to protect this information.
Most customers don’t know who has access to their sensitive material. The bigger issue, however, is that those in charge of protecting this data may not know who has access either.
Welcome to the Critical Data Show
We like to believe that when we turn our personally identifiable information (PII) over to a company, it is only accessed by those who absolutely must see it. But that’s simply not true: On average, nearly one-quarter of all internal work folders are available to everyone within an organization, according to a 2018 report from Varonis Systems. Also, almost half of the surveyed companies had at least 1,000 sensitive files open to all employees.
Organizations are overwhelmed with unsecured and overexposed data — a problem of its own. Compounding the matter, most don’t realize how much sensitive information is at risk of compromise simply because the wrong person has access to more files than is absolutely necessary. When your critical data is open to everyone in the organization, any data security strategy you have in place to protect it is practically null.
“It only takes one leaked sensitive file to cause a headline-making data breach,” wrote Brian Vecci, technical evangelist at Varonis, in a company statement.
What Do Cybercriminals Want? Critical Data
When they gain access to PII and other sensitive files — such as proprietary research or corporate financial records — cybercriminals can perform a number of sinister acts. They could sell the information on the darknet or use it themselves to directly steal from your bank account. They could also use your research to develop knock-offs of your products or conduct identity theft. Just like burglars who ransack homes or offices, cybercriminals want to find the easiest way inside.
“Attackers take advantage of security missteps and shortcuts to gain access to secure systems and sensitive files,” wrote John Carlin, former assistant attorney general for national security, in the Varonis statement.
When too many people have access to sensitive files, it opens up more opportunities for a mistake to be made that leads to a breach. It also means that people can see information they shouldn’t be reading and can share that data (perhaps unknowingly) beyond its intended scope.
The 2017 Verizon Data Breach Investigation Report found that 58 percent of its security incidents are the result of insiders, with 33 percent of the incidents resulting from errors — and almost 30 percent from misuse of data. Much of this happens because the wrong people can access sensitive information. Having access to critical medical files across a wide spectrum of employees is necessary. However, when that access isn’t kept in check, it is easy to abuse or open the network to more nefarious actions.
Frightening Concerns: ‘Ghost’ Users and Stale Data
Organizations often continue to hold on to stale data or information that is no longer necessary for business operations. This information is likely no longer monitored. Not only is the company paying to store unneeded data, but it is also opening up this information to insider threats. A nosy or malicious insider could access old records or gather details about former clients or employees without anyone noticing.
Ghost users are also a problem: The Varonis report found that 46 percent of organizations had more than 1,000 users with passwords that never expire. Also, 34 percent of user accounts are enabled on average — but “ghost” users still have access to files and folders. In other words: An employee who has transferred to a new department or left the company still has network access. Again, the doors are left open for someone without permission to read critical data.
With the General Data Protection Regulation (GDPR) going into effect on May 25, organizations that do business with data subjects of the European Union (EU) will have no choice but to address the matter of who has access to critical data. And even if your company isn’t doing business with the EU, your customers want to know their privacy is being protected.
Do you know who can see the sensitive files on your network? If you can’t answer that, chances are PII and other critical materials are being seen by not only insiders but cybercriminals who are grateful for the easy access.