With the first anniversary of Europe’s General Data Protection Regulation coming late next month, a pair of new studies find that the law’s onerous penalties for failure to protect personal information haven’t produced much change in corporate data governance.
An annual audit published by data protection vendor Varonis Systems Inc. discovered that the average large company leaves about 17% of its sensitive files open for every employee to access. More than half of the companies that were audited had more than 1,000 sensitive files in the open and about the same percentage left more than 100,000 folders with effectively no access controls.
Separately a survey of 1,365 business and information technology managers in seven countries by Splunk Inc. found that respondents estimate, on average, that 55% of their data is “dark,” or unknown, despite the fact that 81% rate data as important to their organization’s success.
The Varonis report is based upon a sampling of 785 organizations the company audited as part of its business. Varonis uses automated processes to scan file and folder permissions as well as to identify keywords that might classify a document is sensitive.
The ghost of Active Directory
The analysis covered 54 billion files. In addition to establishing that access controls are weak in most organizations, the research also found that about 40% of companies have more than 1,000 active accounts in their access directories belonging to people who no longer work there and that 53% of an average company’s data is “stale,” meaning it’s out of date and should no longer be kept. Abandoned or “ghost” accounts are considered to be a prime cybersecurity vulnerability and stale data is a potential regulatory problem.
A comparison of the latest report to a similar study the company conducted last year revealed that access controls are actually getting worse. Varonis found that 22% of the folders it examined were exposed to everyone, up from 21% last year, and that the average company’s percentage of folders containing sensitive but easily accessible data jumped sharply to 53% from 41% in 2018.
“The average company has hundreds of millions of files and folders but not the tools and people they need to get their hands around the data,” said Brian Vecci, field chief technology officer at Varonis. He said one company was found to have 335,000 folders with global permissions but only a single person in charge of policing access. “It takes between two days and a week to fix a problem or a single folder,” he said. “You can’t put individual controls over half a million files.”
Tracking and regulating data is nearly impossible in most organizations, Vecci said. For example, personal data initially captured on a webform may then be copied into a spreadsheet that’s then emailed to multiple recipients, creating duplicate records that are impossible to audit. That’s how European corporations end up with, on average, 19 copies of each EU citizen’s personal information, according to the audit.