Companies face regulatory fines and cybersecurity threats, still fail to protect sensitive data

22% of a company’s folders are accessible, on average, to every employee, according to the new report from the Varonis Data Lab, which analyzed more than 54 billion files.

The report shines a light on security issues that put organizations at risk from data breaches, insider threats and crippling malware attacks.

Key findings from the 2019 Global Data Risk Report include:

Out-of-control permissions expose sensitive files and folders to every employee:

• 53% of companies had at least 1,000 sensitive files open to all employees.
• 22% of all folders were accessible, on average, to every employee.

User passwords that never expire give hackers ample time to brute-force logins:

• 38% of users had passwords that never expire, up from 10% last year.
• 61% of companies have over 500 users with passwords that will never expire.

Stale sensitive files raise the risk of fines under HIPAA, GDPR and the upcoming CCPA:

• 87% of companies have over 1,000 stale sensitive files.
• 71% of companies have over 5,000 stale sensitive files.

“Ghost” users give former employees and contractors unnecessary access to information:

• 50% of user accounts were stale.
• 40% of companies had over 1,000 enabled, but stale, users.

Industries and regions vary when it comes to protecting their most sensitive information:

• Retail organizations had the lowest number of exposed, sensitive files and seemed to do the best job of protecting their data overall. Financial services firms found the most exposed, sensitive files overall. Healthcare, pharmaceutical and biotech firms found the most exposed, sensitive files in each terabyte that they analyzed (4,691).
• APAC organizations found that less than 1% of their files were sensitive, but 26% of them were exposed. EMEA organizations found sensitive data in 3% of their files, but only 15% of them were exposed. In EMEA, each terabyte averaged 4,724 exposed, sensitive files.

“One year after the GDPR and nearly six months before the CCPA, companies continue to fall even farther behind and need to secure their data,” said Varonis Field CTO Brian Vecci.

“Today, most CISOs assume that it’s just a matter of time before their security perimeter will be breached, which underscores the importance of data protection. The level of sensitive data exposure and oversubscribed access that most organizations are living with should set off alarm bells for corporate boards and shareholders.”