Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session

X

2019 Data Risk Report Stats and Tips You Won’t Want to Miss

Cybersecurity News, Data Security

an illustration of three files and an eye overseeing them

Each year, Varonis conducts thousands of data risk assessments for organizations that want a clearer picture of their security posture and develop a roadmap to reducing risk to sensitive data. The 2019 Data Risk Report analyzes a random sample of nearly 800 risk assessments, giving you an inside look at the state of data security.

These annual reports entail analyzing files, folders, and emails within their various data stores, identifying which data is vulnerable, and providing recommendations on how to improve data governance and eliminate vulnerabilities before they become liabilities. Read on to learn about our top findings or skip to our risk report infographic for an overview of the whole story:

2019 Data Risk Report Overview

The data risk report findings covered three main topics of data security: risk and exposure, stale data, and passwords and users. To come up with these findings, the Varonis data lab randomly selected 785 reports from the thousands that were conducted. Our analysts went through the data from Active Directory, data permissions structures and automated classification to analyze the sensitivity of the files’ contents. 

This data was used to uncover actionable key findings that can be seen in the sections below. Before going through the findings, check out these key terms and how we classify them as they come up throughout the report.

  • Sensitive files: contain credit card information, health records or personal information subject to regulations like GDPR, HIPAA and PCI. 
  • Global access, exposed files and folders: indicates files and folders open to everyone (all employees). This data represents the biggest risk. 
  • Stale data: information no longer needed for daily operations. 
  • Stale user accounts (AKA “ghost users”): enabled accounts that appear inactive and often belong to users who are no longer with the organization or company.

Scope of the Risk Report

an illustration of a couple of different data security symbols with text that says: The report examines: 30+ industries, 785 organizations, 54 billion files, 4.3 billion folders 54.58 petabytes of data, 1.46 million files per terabyte

Our analysts examined 54 billion files (which is nearly 10 times more files than last year’s report) from over 30 different countries. Some of the 30+ industries covered include healthcare, pharmaceuticals, biotech, retail, financial services, tech, manufacturing, energy and utilities, education, defense and government (local, state, and national).

See some more precise figures below:

  • Total data: 54.58 petabytes 
  • Folders analyzed: 4,332,290,346 
  • Folders with global access: 953,616,561 
  • Files analyzed: 53,885,498,652 
  • Files with global access: 13,445,993,510 
  • Total number of user accounts: 12,754,608 
  • Average number of folders per TB: 128,782
  • Average number of files per TB: 1,460,000
  • Number of exposed, sensitive files per TB: 3,144

Data Risk Report Findings

an illustration of a couple of different data security symbols with text that says: 53% of companies had over 1,000 sensitive files open to every employee, An average of 22% of all folders were available to every employee, Only 5% of folders were protected properly.

Global access groups — such as Everyone, Domain Users or Authenticated Users— give insiders and outside attackers easy access to files inside. Globally accessible data also puts organizations at risk from insiders and outside attackers. It could just take one accidental click on a phishing email or other scam to set off a chain reaction that encrypts or destroys all accessible files. 

  • 17% of all sensitive files were accessible to all employees
  • 15% of companies found 1,000,000+ files open to every employee
  • On average, every employee had access to 17 million files

Some of the files we examined held data subject to regulations like the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS or PCI), Health Information Portability and Accountability Act (HIPAA) and the upcoming California Consumer Privacy Act (CCPA) and were in violation of data privacy law. Exposed data can cost companies money, reputation and trust.

an illustration of a couple of different data security symbols with text that says: 53% of all data in a company is stale, 87% of companies found over 1,000 stale, sensitive files , 95% of companies found over 100,000 folders that contained stale data, 15,511 sensitive files per terabyte are stale.

Sensitive stale data holds important information about customers, projects, clients, employees or other business-sensitive content. A lot of this data is subject to regulations like the Sarbanes-Oxley Act (SOX), HIPAA, PCI and GDPR. Around half of the data being stored in company databases isn’t needed and should’ve been dumped.

Data kept beyond its necessary retention period can expose an organization to additional liability. Stale data can be expensive to store and manage, and it also poses an increased (and unnecessary) security risk. This valueless data can have huge costs if involved in a data breach or violation — despite the GDPR and upcoming CCPA, companies continue to accumulate this unneeded sensitive data. The large majority of companies have stale sensitive files, a problem that only builds on itself if left unattended.

an illustration of a couple of different data security symbols with text that says: 61% of companies found over 500 users with passwords that never expire, 40% of companies found over 1,000 stale, but enabled user accounts, 50% of user accounts were stale, on average.

Seldom (if ever) should accounts have passwords that never expire. User accounts with non-expiring and non-changing passwords give attackers a huge opportunity to break into them. Once breached, they provide indefinite access to data. When attackers find administrative accounts with non-expiring passwords, they can wreak havoc on an organization. 

User accounts are usually stored in Active Directory. User and service accounts that are inactive and enabled (AKA “ghost users”) are perfect targets for attackers. Once a hacker is in an account they can explore the organization’s framework and “test the waters.” It’s also harder for security systems to detect this type of foul play since it’s through an organization-sanctioned account. 

If these accounts are unmonitored, attackers can steal data or cause disruption without detection. Companies, overall, are doing a better job at reducing stale user accounts, but they’re far from perfect: Half of all user accounts are stale, and over a third of all companies we examined found more than 1,000 enabled but stale users. See some additional data points below:

  • 38% of all users sampled have a password that never expires
  • 11% of enabled users have expired passwords
  • 58% of companies were found to have over 1,000 folders that had inconsistent permissions
  • 27% of a company’s users had removal recommendations and were likely to have more access to data than they require

What Does the Data Risk Report Say About Your Company?

an illustration of graph chart with text on the left of it that says: Title: Potential Consequences. Subtext: If a breach or violation occurs, companies with over-exposed sensitive data, non-expiring passwords and stale accounts and data leave themselves at risk for: Fines from SOX, HIPAA, PCI, GDPR, the future CCPA and others, Ruined reputation, as data breaches make big (damaging) news, Decline in business if consumers feel you aren’t protecting them, Stock drops. Depending on the severity, investors may jump ship, Loss of valuable info if projects and ideas are leaked or stolen.

The 2019 Data Risk Report says there’s a lot of work to do. This report is a reflection of the average, meaning nearly every company has work to do to get their data security and storage practices up to par. The findings show that most companies are very susceptible to a breach and many are violating legislation and regulations that they could be fined for in an audit. Your company or a company you patronize likely has these four risks looming over their security:

  1. Over-exposed sensitive data 
  2. Sensitive stale data 
  3. Stale accounts
  4. Non-expiring passwords

Who’s Most At-Risk?

an illustration of a couple of different industry symbols with text that says: Title: Most At-Risk Industries Subtitle: Highest percent of exposed sensitive files: Financial services: 21% Manufacturing: 21% Subtitle: Highest percent of exposed folders: Energy & Utilities: 25% Manufacturing: 23% Subtitle: Most exposed, sensitive files on average: Financial services: 352,771 files Healthcare, Pharma & Biotech: 113,491 files

These industries are ranked from riskiest to least risky based on their average percentage of exposed files (total exposed files act as a tiebreaker where necessary). For all of the industry data risk stats, refer to the full report

  1. Financial services: 21% of sensitive files were exposed
  2. Manufacturing: 21% of sensitive files were exposed
  3. Healthcare, Pharma & Biotech: 15% of sensitive files were exposed
  4. Energy & Utilities: 14% of sensitive files were exposed
  5. Retail: 14% of sensitive files were exposed
  6. Government & Military: 12% of sensitive files were exposed

Data Risk Report Takeaways

an illustration of a couple of different data security symbols with text that says: Subtitle: Minimize Risk & Exposure Routinely run an audit of your servers, find any data with global access groups applied Ensure only appropriate users retain access to sensitive, regulated data Replace global access groups with tightly managed security groups Subtitle: Eliminate Stale Data Identify stale data — especially sensitive information Archive or delete stale data if no longer needed Create a predetermined data retention period Subtitle: Limit Passwords & Users Hunt and eliminate stale accounts and non-expiring passwords and accounts All accounts should be verified and passwords should expire periodically Boost your organization’s anomaly detection capabilities and response processes

As daunting as this all sounds, there are concrete steps to increase security and take better control of your data. This likely won’t be a quick fix for most companies but it’s a worthy investment as hackers will only become better at what they do and government regulations on organizations’ data security will only become tighter.

Minimize Risk & Exposure

  • Identify and fix global access groups that grant access to sensitive data
  • Ensure only appropriate users retain access to sensitive, regulated data 
  • Routinely run a full audit of your servers, looking for any data containers (folders, mailboxes, SharePoint sites, etc.) with global access groups applied to their ACLs
  • Replace global access groups with tightly managed security groups 
  • Start with the most sensitive data and test changes to ensure issues do not arise
  • Apply additional “preventive controls”— like encryption— through digital rights management (DRM) 

Eliminate Stale Data 

  • Minimize the sensitive data you collect, who gets to see it and how long you keep it 
  • Identify stale data — especially sensitive information
  • Create a predetermined data retention period  
  • Archive or delete stale data if no longer needed

Limit Passwords & Users

  • Hunt and eliminate stale accounts and non-expiring passwords
  • IT must disable non-expiring passwords and set passwords for all users to expire at set intervals 
  • If an account requires a static password, it must be extremely long, complex and random  
  • Use enterprise-wide password managers and two-factor authentication, as well as monitoring and alerting on suspicious failed login attempts
  • Make sure stale accounts are disabled and monitored to re-enable activity or delete the account 
  • Implement procedures to ensure that all user accounts are active, governed and monitored  
  • Understand what constitutes normal behavior on both user and service accounts so you can be more effective at spotting inactive users and behavioral abnormalities 
  • Boost your anomaly detection capabilities and response processes 

 

Click the button below to open or download a culmination of the information and visuals above.

click to download the infographic button

 

If you’re curious how this year’s assessment compares to past years, check out our 2018 data risk report and 2017 data risk report for more information. While organizations focus on keeping attackers out, all too often the data itself remains widely accessible and unmonitored. Do you know how your data security stacks up? If you’re looking for your own data report, Varonis provides free risk assessments to get your data security pointed in the right direction.

Rob Sobers

Rob Sobers

Rob Sobers is a software engineer specializing in web security and is the co-author of the book Learn Ruby the Hard Way.

 

Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.