Light Dark
May 22, 2018 By Sue Poremba 3 min read
Data Protection
Identity & Access

Until recently, many of us likely never gave a second thought to the security of our personal data online. Then, when news broke on a largescale social media data breach, millions of users were suddenly outraged and demanded that their information be better protected.

While these scandals have been covered extensively in the media, they actually highlighted a problem that isn’t exactly unique. Almost every organization that holds customers’ critical data is guilty of not doing enough to protect this information.

Most customers don’t know who has access to their sensitive material. The bigger issue, however, is that those in charge of protecting this data may not know who has access either.

Welcome to the Critical Data Show

We like to believe that when we turn our personally identifiable information (PII) over to a company, it is only accessed by those who absolutely must see it. But that’s simply not true: On average, nearly one-quarter of all internal work folders are available to everyone within an organization, according to a 2018 report from Varonis Systems. Also, almost half of the surveyed companies had at least 1,000 sensitive files open to all employees.

Organizations are overwhelmed with unsecured and overexposed data — a problem of its own. Compounding the matter, most don’t realize how much sensitive information is at risk of compromise simply because the wrong person has access to more files than is absolutely necessary. When your critical data is open to everyone in the organization, any data security strategy you have in place to protect it is practically null.

“It only takes one leaked sensitive file to cause a headline-making data breach,” wrote Brian Vecci, technical evangelist at Varonis, in a company statement.

What Do Cybercriminals Want? Critical Data

When they gain access to PII and other sensitive files — such as proprietary research or corporate financial records — cybercriminals can perform a number of sinister acts. They could sell the information on the darknet or use it themselves to directly steal from your bank account. They could also use your research to develop knock-offs of your products or conduct identity theft. Just like burglars who ransack homes or offices, cybercriminals want to find the easiest way inside.

“Attackers take advantage of security missteps and shortcuts to gain access to secure systems and sensitive files,” wrote John Carlin, former assistant attorney general for national security, in the Varonis statement.

When too many people have access to sensitive files, it opens up more opportunities for a mistake to be made that leads to a breach. It also means that people can see information they shouldn’t be reading and can share that data (perhaps unknowingly) beyond its intended scope.

The 2017 Verizon Data Breach Investigation Report found that 58 percent of its security incidents are the result of insiders, with 33 percent of the incidents resulting from errors — and almost 30 percent from misuse of data. Much of this happens because the wrong people can access sensitive information. Having access to critical medical files across a wide spectrum of employees is necessary. However, when that access isn’t kept in check, it is easy to abuse or open the network to more nefarious actions.

Frightening Concerns: ‘Ghost’ Users and Stale Data

Organizations often continue to hold on to stale data or information that is no longer necessary for business operations. This information is likely no longer monitored. Not only is the company paying to store unneeded data, but it is also opening up this information to insider threats. A nosy or malicious insider could access old records or gather details about former clients or employees without anyone noticing.

Ghost users are also a problem: The Varonis report found that 46 percent of organizations had more than 1,000 users with passwords that never expire. Also, 34 percent of user accounts are enabled on average — but “ghost” users still have access to files and folders. In other words: An employee who has transferred to a new department or left the company still has network access. Again, the doors are left open for someone without permission to read critical data.

With the General Data Protection Regulation (GDPR) going into effect on May 25, organizations that do business with data subjects of the European Union (EU) will have no choice but to address the matter of who has access to critical data. And even if your company isn’t doing business with the EU, your customers want to know their privacy is being protected.

Do you know who can see the sensitive files on your network? If you can’t answer that, chances are PII and other critical materials are being seen by not only insiders but cybercriminals who are grateful for the easy access.

 |  | 
Sue Poremba

More from Data Protection
January 27, 2025

How secure are green data centers? Consider these 5 trends

4 min read - As organizations increasingly measure environmental impact towards their sustainability goals, many are focusing on their data centers.KPMG found that the majority of the top 100 companies measure and report on their sustainability efforts. Because data centers consume a large amount of energy, Gartner predicts that by 2027, three in four organizations will have implemented a data center sustainability program, which often includes implementing a green data center.“Responsibilities for sustainability are increasingly being passed down from CIOs to infrastructure and operations…

January 21, 2025

Why maintaining data cleanliness is essential to cybersecurity

3 min read - Data, in all its shapes and forms, is one of the most critical assets a business possesses. Not only does it provide organizations with critical information regarding their systems and processes, but it also fuels growth and enables better decision-making on all levels.However, like any other piece of company equipment, data can degrade over time and become less valuable if organizations aren’t careful. What’s even more dangerous is that neglecting data hygiene can expose organizations to a number of security…

January 3, 2025

Router reality check: 86% of default passwords have never been changed

4 min read - Misconfigurations remain a popular compromise point — and routers are leading the way.According to recent survey data, 86% of respondents have never changed their router admin password, and 52% have never adjusted any factory settings. This puts attackers in the perfect position to compromise enterprise networks. Why put the time and effort into creating phishing emails and stealing staff data when supposedly secure devices can be accessed using "admin" and "password" as credentials?It's time for a router reality check.Rising router risksRouters…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2025 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature