2019 Varonis Global Data Risk Report

53% of companies found over 1,000 sensitive files open to every employee.

The report shines a light on security issues that put organizations at risk from data breaches, insider threats and crippling malware attacks.

Data Gets Personal

Your files called.
They want their privacy back.

Every year, Varonis performs thousands of Data Risk Assessments for organizations that want to understand where sensitive and classified data reside in their growing hybrid environments, learn how much of it is overexposed and vulnerable, and receive recommendations to reduce their risk profile.

In our 2019 report, we analyzed 785 Data Risk Assessments and over 54 billion files – a nearly tenfold increase over the 6.2 billion files analyzed in our 2018 report.



How much data are we talking here?

785 Organizations

54 Billion files

4.3 Billion folders

54.58 Petabytes of data

1.46 Million files per TB

30+ Industries

Including financial services; healthcare, pharma and biotech; manufacturing; retail; energy and utilities; technology; government (local, state, and national) and defense; and education.

Risk & Exposure

Privacy by Design? Not so much

Overexposed data is a common security vulnerability. IT professionals estimate it takes about 6-8 hours per folder to locate and manually remove global access groups to identify users that need access, create and apply new groups, and subsequently populate them with the right users.

22% of all folders

in a company were open to every employee (up from 21% last year)

53% of companies

found over 1,000 sensitive files open to every employee

15% of companies

found more than 1 million folders accessible to every employee

Stale Data

Right To Be Forgotten: What Was That Again?

Despite the May 2018 EU General Data Protection Regulation (GDPR) and upcoming California Consumer Privacy Act (CCPA), companies continue to amass sensitive data that’s no longer needed for business.

The vast majority of companies have stale sensitive files, and the problem is only getting worse.

87% of companies

found over 1,000 stale sensitive files

71% of companies

found over 5,000 stale sensitive files

53% of all data

in a company is stale

72% of folders

in a company contain stale data

Passwords & Users

Passwords: Check Expiration Date Before Consuming Data

Very few (if any) accounts should have passwords that never expire. Users with non-expiring passwords give attackers a large
window to crack them using brute force.

Once breached, they provide indefinite access to data. Passwords that aren’t periodically
changed are more likely to appear in breached password dumps.

When attackers find administrative accounts with non-expiring passwords, it’s their lucky day.

38% of users

had passwords that never expire (up from 10% last year)

61% of companies

have over 500 users with passwords that will never expire

50% of user accounts

are stale or inactive

40% of companies

have over 1,000 stale, but enabled, user accounts

Want to see what’s hiding in your data?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.