Matt Lock, Director of Sales Engineers at Varonis, explores why organisations are still struggling to lock down access to sensitive files, as well as what they can do to mitigate the risks of unmanaged and oversubscribed data access.
Imagine you worked in an office that created a huge amount of sensitive data exclusively in hard copy and the only way to store it was in filing cabinets. After years in business, nobody has seen fit to clear out old files: there are now filing cabinets all over the place bursting at the seams storing information. To help save space a large number of these files are kept at a separate storage unit on the other side of town.
With employee turnover, no one can remember what files are being stored from more than a few years ago or where they are kept. Further, when employees leave and others join due to employees leaving and others starting, keys to the filing cabinets have been misplaced. File cabinets are left unlocked for easy access. Staff share keys with their colleagues. Nobody has a clear idea of who can access what, or even if those who have the keys to the filing cabinets are current employees.
Sounds like a nightmare doesn’t it? Yet thousands of businesses are doing the equivalent of this with their digital information. Just because you can’t physically see the chaos being caused doesn’t make it any less real or less of a threat to the security of your organisation and your data.
Businesses are creating, receiving, processing and storing more information than ever before. Often the simplest and most cost-effective way of storing this information is by purchasing remote storage in the cloud. This is undeniably the most convenient way to keep files; capacity can be increased or reduced as demand dictates, and it is easy to provide access to workers based in any location.
However, increasing storage capacity is a double-edged sword for businesses, in that it is easy to keep adding files without having to clear any out. Research by Varonis found that more than half (53 percent) of all data in a company is stale, and nearly nine out of 10 (87 percent) of companies had more than 1,000 stale files – seven out of 10 (71 percent) had more than 5,000.
Also of interest: The BYOD juggling act: balancing security, privacy and mobility
Why removing stale files matters
There are various reasons why a business needs to know what information it holds. First, it is only possible to keep something safe if you know you have it. There is little chance of being able to secure files on a corporate network if nobody who currently works at the company knows they exist.
Second, under GDPR, any business that holds personal data must be able to give an individual access to their information and remove it if necessary. The implication, of course, is that an organisation needs to know that it holds this data in the first place and where it is kept.
Knowing where all the files on a system are and what is in them saves time by creating more effective business processes, and the removing stale files can save money on storage costs.
Also of interest: It’s time to kill the VPN
Having full visibility of what is on your corporate network means you have greater ability to control who has access to what. Restricting who can view certain folders and files is good working practice that helps to maintain privacy and limit the damage done by threat actors who may have stolen an employee’s login credentials.
Despite that fact that we’re now a year on from the introduction of the GDPR, there are still organisations that do not put in place procedures for limiting access to sensitive information. The Varonis study found that 53 percent of companies had 1,000 or more sensitive files accessible to every employee. Around one in seven organisations (15 percent) have more than one million folders open to every employee.
Employees should only have access to the files they need to do their jobs – a least-privilege approach.
Even those businesses that restrict access to certain files are failing to protect them properly if their users do not have passwords that expire and fail to change them at regular intervals.
We found that 38 percent of users had passwords that never expire. This provides a threat actor with a longer timeframe to crack passwords using brute force or to acquire credentials after a breach. When passwords never change, stolen credentials will provide almost indefinite access to hackers.
Also of interest: Protecting your organisation from insider threats
What can be done?
Businesses must take back control of their files. Conduct a complete analysis of all data to find out what it is and where it is. To be of use, this analysis must be able to highlight stale folders and files and who has access to every item. With this information, organisations can start eliminating or archiving those folders and files that are no longer in use and create appropriate permissions for users.
Finally, such an analysis needs to happen on a regular basis to make it current and relevant.