Open access? How to protect sensitive staff files

Open access? How to protect sensitive staff files

Where data is being collected and stored, there is always a risk of a cyber attack.

Despite their best efforts to keep intruders and thieves at bay, not all organizations realize that their biggest threat may come from within: their own employees.

A report by data security specialist Varonis found more than half of organizations (53%) across the world have over 1,000 sensitive files accessible to all staff. Sensitive files contain financial, health and personal information, from credit card to social security numbers.

Varonis performed 785 data risk assessments in more than 30 countries and 30 industries, and found the average company owned more than 534,000 sensitive files.

Because of the sheer amount of sensitive data in their hands, companies will want to implement specific permissions and restrictions on their files to prevent leakage or theft. Applying these access controls is no different from barring unauthorized personnel from entering a restricted area at work.

Too much data to manage?
“Overexposed data presents a major risk to organizations regardless of size, industry or location,” the report said. The problem, however, is just how much data will need to be monitored.

“Most organizations have applied permissions to more folders than they can realistically manage,” Varonis said. In the study, the average terabyte had almost 17,000 uniquely permissioned folders. “That means someone has granted permissions to that folder for a specific user or group.”

But such folders will need constant reviewing and updating to ensure only the appropriate class of employees (both individual and groups of users) have access to them, and that the permissions “stay current,” Varonis’ analysts recommend.

Hence, some organizations use a system that automates file classification to quickly determine how sensitive the contents of a folder are and to easily set access controls.

“If you’ve got accurate classification, this is a great extra step to mitigate some of the risk of data loss,” the analysts said. “These kinds of controls are typically defined broadly. For example: ‘No file should leave our protected network if it contains personal information.’”

Globally accessible files put companies at risk from insiders, malware and ransomware attacks. The analysts noted: “It takes just one click on a phishing email to set off a chain reaction that encrypts or destroys all accessible files.”