The average employee has access to around 10.8 million files, with larger organizations having around 20 million files accessible.
According to new research by Varonis, 64% of financial services organizations have more than 1000 sensitive files open to every employee. “Securely transitioning to remote work and locking down exposed data to mitigate the risk of remote logins were two of the highest security priorities for IT teams in financial services,” Varonis said.
“Mobilizing without proper security controls exponentially increases the risk posed by insiders, malware and ransomware attacks, and opens companies up to possible non-compliance with regulations such as SOX, GDPR and PCI.”
Inside financial services, the average number of folders open to all access is 1.3 million in large organizations, although this drops to 778,045 in medium organizations and 101,717 in small firms.
Brandon Hoffman, CISO at Netenrich, said restricting access to sensitive data is a foundational security step, but unfortunately, many organizations don’t do it.
He said: “They don’t because there are a few steps you need to take to ensure it is actually restricted. These steps can be daunting but they are critical to success in cyber. First, you need to classify all the data in the business and determine prioritization relative to risk. You then need to ensure that identity of users is organized and limited. The third, and most crucial step, is to put controls in place that limit access to and manipulation of high priority data by specific users. This does not only solve the challenge of users stealing or mishandling data, but will drive efficiency and security in several other areas.
“It does not come as a surprise then to find out that this is not being done as we continue to see the leakage/breach of personal data year-over-year.”
Heather Paunet, senior vice-president at Untangle, told Infosecurity she found it surprising that so many employees, especially at content-sensitive workplaces such as financial institutions, continue to have a depth of access to millions of files.
“To streamline network access, safeguard files and address vulnerable access points within the network, businesses and IT leaders should establish a set of criteria during any employee onboarding process in relation to their network access,” she said.
“Defining which positions have access to specific information creates layers of access that are not easily broken. For example, a marketing team member should not have the same access to employee information as an HR manager, and neither should have the same access as a member of the finance team dealing with sensitive business information.”
She recommended routinely auditing this access, especially in times of high turnover or during a large-scale transition to working from home, to allow IT teams to address any unauthorized access points or redefine access policies as needed.
“If employees should need additional access to systems or data, formal requests can be made, creating a procedure for opening access to specific employees for an approved amount of time,” Paunet said.
“Hopefully, businesses now understand that it takes a single access point to wreak havoc on an entire network, and minimizing these access points is one of the best ways to compliment any network security solution in place.”