Employee Access to Sensitive Files Puts Critical Data at Risk

The Ponemon survey suggested IT practitioners and users agree that the compromise of employee accounts can lead to external data breaches.

it security and varonis

Despite a growing number of data breaches occurring under the glare of the public spotlight, 71 percent of employees report that they have access to data they should not see, and more than half (54 percent) say this access is frequent or very frequent, according to a survey commissioned by Varonis Systems and conducted by the Ponemon Institute.

Respondents included 1,166 IT practitioners and 1,110 users in organizations ranging in size from dozens to tens of thousands of employees, in a variety of industries including financial services, public sector, health and pharmaceutical, retail, industrial, and technology and software. Findings show 80 percent say their organizations don't enforce a strict least-privilege (or need-to-know) data model.

The findings also indicate IT practitioners and users agree that the compromise of employee accounts that can lead to external data breaches are most likely to be caused by insiders with too much access who are frequently unaware of the risks that they present.

"One of the most difficult challenges organizations face is achieving a balance between productivity and security. The rise of cloud-based file sync and share services like Dropbox helped productivity but made the security part of the equation even more difficult," David Gibson, vice president of marketing at Varonis, told eWEEK. "The risks associated with having sensitive files living in places the company doesn’t track or regulate, essentially leaving data protection to employees whose main goals are productivity and flexibility, is inherently dangerous."

Half of users and 74 percent of IT practitioners believe that insider mistakes, negligence or malice are frequently or very frequently the cause of leakage of company data.

Only 47 percent of IT professionals say users in their organizations are taking appropriate steps to protect company data accessed by them, and 76 percent of users believe there are times when it is acceptable to transfer work documents to their personal devices, while only 13 percent of IT practitioners agree.

In addition, 49 percent of IT practitioners say it is not likely or there is no chance that when documents, files or emails are lost or change unexpectedly, the organization will be able to assess what happened to them. Companies also need to be more open about their vulnerability.

"Our study shows 67 percent of IT people say their organization had a data breach in the last two years, but only 44 percent of end users are aware of that," Gibson noted. "Employees need to learn the rules of the road in order to conduct business safely in the digital age."

The survey also found 43 percent of users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs, and only 22 percent report that access is typically granted within minutes or hours.

Meanwhile, 73 percent of users believe the growth of emails, presentations, multimedia files and other types of company data has very significantly or significantly affected their ability to find and access data.

"Manual methods for protecting data are already insufficient, and this will only become more apparent as the data grows," Gibson said. "Automating manual data management and protection tasks, on the other hand, will not only reduce risk very quickly, but can also reduce costs and improve employee productivity at the same time."