How much GDPR risk is hiding in your data?

How much risk is hiding in your in the data in your enterprise?

Probably quite a bit.

It’s a strange way to ask the question, I know. So, let me explain. When it comes to securing data, the bulk of attention has been spent on protecting databases and applications, while the security of unstructured data goes largely unnoticed. While structured data resides in applications and databases, unstructured data is nearly everything else. And it can be laying around anywhere. It consists of word processing files and text, presentation files, log files, text messages and mobile data, multimedia files, chat and IM and others.

Sponsorships Available

Sponsorships Available

Sponsorships Available

While much of this unstructured data isn’t sensitive, much of it is. And it resides on local drives, network shares and attached storage, and cloud services, mobile devices and notebooks.

Most of it is accessible to anyone who gains network or endpoint access. Recently, the security firm Varonis Systems took a look at unstructured data. The looked at data from a random sampling of 130 companies and included the results in its 2018 Varonis Global Data Risk Report. The study looked at 6.2 billion files in 459.2 folders for a total of 5.5 petabytes of data analyzed. What did they find?

They found, on average, 21 percent of a company’s folders were accessible to every employee and 41 percent of companies had at least 1,000 sensitive files open to all employees.

Clearly, companies aren’t keeping some of their most precious data secured. With GDPR quickly approaching, this could prove more troublesome than ever before for organizations that handle customer personally identifiable information.

Varonis also found: 

• Oversubscribed and global access groups giving far too many employees access to sensitive data
• Unmanaged stale and sensitive data regulated by SOX, HIPAA, PCI, GDPR and other standards
• Inconsistent and broken permissions that open security loopholes for hackers
• “Ghost” users that can log in to their accounts and access information despite being inactive
• User passwords that never expire

It’s widely understood that once a cyber attacker gains a foothold on an endpoint or server, they’ll use that as a foothold to gain access deeper into the organization. Nothing will help the attacker more than having hundreds of documents and files to rifle through that will help them to learn everything that they need in order to be able to act like an insider and social engineer their way further, while also finding critical data along the way.  

Other findings from the report include:

• 58 percent of organizations have more than 100,000 folders open to all employees
• 21percent of folders were accessible to every employee
• 41percent of organizations had at least 1,000 sensitive files open to all employees
• On average, 54 percent of an organization’s data was stale, which adds to storage costs and complicates data management
• On average, 34 percent of user accounts are enabled, but stale, “ghost” users who still have access to files and folders
• 46 percent of organizations had more than 1,000 users with passwords that never expire

Because so much unstructured data is sensitive to the business, access to unstructured data should be controlled like access to structured data is controlled. I know this is easier written about in a blog post than it is done, but enterprises would go a long way to helping to better secure themselves if they took steps to determine who owns their unstructured data and who can also access that data — and then find ways to protect and control access to that data. Once that assessment is complete, put into place a process for monitoring what users can access what data.                 

While going through the review, also make sure there isn’t any data that should be controlled under GDPR out there. This wasn’t highlighted in the Varonis report, but I can assure you many organizations large and small will find themselves burned by unstructured data leaks involving personally identifiable information.