Each year, Varonis conducts thousands of data risk assessments for organizations that want a clearer picture of their security posture and develop a roadmap to reducing risk to sensitive data. The 2019 Data Risk Report analyzes a random sample of nearly 800 risk assessments, giving you an inside look at the state of data security.
These annual reports entail analyzing files, folders, and emails within their various data stores, identifying which data is vulnerable, and providing recommendations on how to improve data governance and eliminate vulnerabilities before they become liabilities. Read on to learn about our top findings or skip to our risk report infographic for an overview of the whole story:
Get the Free Pen Testing Active Directory Environments EBook
- 2019 Data Risk Report Overview
- What the Report Says About Your Company
- The Most At-Risk Industries
- 2019 Data Risk Report Takeaways
- Full Data Risk Report Infographic
2019 Data Risk Report Overview
The data risk report findings covered three main topics of data security: risk and exposure, stale data, and passwords and users. To come up with these findings, the Varonis data lab randomly selected 785 reports from the thousands that were conducted. Our analysts went through the data from Active Directory, data permissions structures and automated classification to analyze the sensitivity of the files’ contents.
This data was used to uncover actionable key findings that can be seen in the sections below. Before going through the findings, check out these key terms and how we classify them as they come up throughout the report.
- Sensitive files: contain credit card information, health records or personal information subject to regulations like GDPR, HIPAA and PCI.
- Global access, exposed files and folders: indicates files and folders open to everyone (all employees). This data represents the biggest risk.
- Stale data: information no longer needed for daily operations.
- Stale user accounts (AKA “ghost users”): enabled accounts that appear inactive and often belong to users who are no longer with the organization or company.
Scope of the Risk Report
Our analysts examined 54 billion files (which is nearly 10 times more files than last year’s report) from over 30 different countries. Some of the 30+ industries covered include healthcare, pharmaceuticals, biotech, retail, financial services, tech, manufacturing, energy and utilities, education, defense and government (local, state, and national).
See some more precise figures below:
- Total data: 54.58 petabytes
- Folders analyzed: 4,332,290,346
- Folders with global access: 953,616,561
- Files analyzed: 53,885,498,652
- Files with global access: 13,445,993,510
- Total number of user accounts: 12,754,608
- Average number of folders per TB: 128,782
- Average number of files per TB: 1,460,000
- Number of exposed, sensitive files per TB: 3,144
Data Risk Report Findings
Global access groups — such as Everyone, Domain Users or Authenticated Users— give insiders and outside attackers easy access to files inside. Globally accessible data also puts organizations at risk from insiders and outside attackers. It could just take one accidental click on a phishing email or other scam to set off a chain reaction that encrypts or destroys all accessible files.
- 17% of all sensitive files were accessible to all employees
- 15% of companies found 1,000,000+ files open to every employee
- On average, every employee had access to 17 million files
Some of the files we examined held data subject to regulations like the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS or PCI), Health Information Portability and Accountability Act (HIPAA) and the upcoming California Consumer Privacy Act (CCPA) and were in violation of data privacy law. Exposed data can cost companies money, reputation and trust.
Sensitive stale data holds important information about customers, projects, clients, employees or other business-sensitive content. A lot of this data is subject to regulations like the Sarbanes-Oxley Act (SOX), HIPAA, PCI and GDPR. Around half of the data being stored in company databases isn’t needed and should’ve been dumped.
Data kept beyond its necessary retention period can expose an organization to additional liability. Stale data can be expensive to store and manage, and it also poses an increased (and unnecessary) security risk. This valueless data can have huge costs if involved in a data breach or violation — despite the GDPR and upcoming CCPA, companies continue to accumulate this unneeded sensitive data. The large majority of companies have stale sensitive files, a problem that only builds on itself if left unattended.
Seldom (if ever) should accounts have passwords that never expire. User accounts with non-expiring and non-changing passwords give attackers a huge opportunity to break into them. Once breached, they provide indefinite access to data. When attackers find administrative accounts with non-expiring passwords, they can wreak havoc on an organization.
User accounts are usually stored in Active Directory. User and service accounts that are inactive and enabled (AKA “ghost users”) are perfect targets for attackers. Once a hacker is in an account they can explore the organization’s framework and “test the waters.” It’s also harder for security systems to detect this type of foul play since it’s through an organization-sanctioned account.
If these accounts are unmonitored, attackers can steal data or cause disruption without detection. Companies, overall, are doing a better job at reducing stale user accounts, but they’re far from perfect: Half of all user accounts are stale, and over a third of all companies we examined found more than 1,000 enabled but stale users. See some additional data points below:
- 38% of all users sampled have a password that never expires
- 11% of enabled users have expired passwords
- 58% of companies were found to have over 1,000 folders that had inconsistent permissions
- 27% of a company’s users had removal recommendations and were likely to have more access to data than they require
What Does the Data Risk Report Say About Your Company?
The 2019 Data Risk Report says there’s a lot of work to do. This report is a reflection of the average, meaning nearly every company has work to do to get their data security and storage practices up to par. The findings show that most companies are very susceptible to a breach and many are violating legislation and regulations that they could be fined for in an audit. Your company or a company you patronize likely has these four risks looming over their security:
- Over-exposed sensitive data
- Sensitive stale data
- Stale accounts
- Non-expiring passwords
Who’s Most At-Risk?
These industries are ranked from riskiest to least risky based on their average percentage of exposed files (total exposed files act as a tiebreaker where necessary). For all of the industry data risk stats, refer to the full report.
- Financial services: 21% of sensitive files were exposed
- Manufacturing: 21% of sensitive files were exposed
- Healthcare, Pharma & Biotech: 15% of sensitive files were exposed
- Energy & Utilities: 14% of sensitive files were exposed
- Retail: 14% of sensitive files were exposed
- Government & Military: 12% of sensitive files were exposed
Data Risk Report Takeaways
As daunting as this all sounds, there are concrete steps to increase security and take better control of your data. This likely won’t be a quick fix for most companies but it’s a worthy investment as hackers will only become better at what they do and government regulations on organizations’ data security will only become tighter.
Minimize Risk & Exposure
- Identify and fix global access groups that grant access to sensitive data
- Ensure only appropriate users retain access to sensitive, regulated data
- Routinely run a full audit of your servers, looking for any data containers (folders, mailboxes, SharePoint sites, etc.) with global access groups applied to their ACLs
- Replace global access groups with tightly managed security groups
- Start with the most sensitive data and test changes to ensure issues do not arise
- Apply additional “preventive controls”— like encryption— through digital rights management (DRM)
Eliminate Stale Data
- Minimize the sensitive data you collect, who gets to see it and how long you keep it
- Identify stale data — especially sensitive information
- Create a predetermined data retention period
- Archive or delete stale data if no longer needed
Limit Passwords & Users
- Hunt and eliminate stale accounts and non-expiring passwords
- IT must disable non-expiring passwords and set passwords for all users to expire at set intervals
- If an account requires a static password, it must be extremely long, complex and random
- Use enterprise-wide password managers and two-factor authentication, as well as monitoring and alerting on suspicious failed login attempts
- Make sure stale accounts are disabled and monitored to re-enable activity or delete the account
- Implement procedures to ensure that all user accounts are active, governed and monitored
- Understand what constitutes normal behavior on both user and service accounts so you can be more effective at spotting inactive users and behavioral abnormalities
- Boost your anomaly detection capabilities and response processes
Click the button below to open or download a culmination of the information and visuals above.
If you’re curious how this year’s assessment compares to past years, check out our 2018 data risk report and 2017 data risk report for more information. While organizations focus on keeping attackers out, all too often the data itself remains widely accessible and unmonitored. Do you know how your data security stacks up? If you’re looking for your own data report, Varonis provides free risk assessments to get your data security pointed in the right direction.
We've been keeping the world's most valuable data out of enemy hands since 2005 with our market-leading data security platform.How it works
Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.