Security Experts:

Excessive Employee Access Privileges Expose Corporate Data to Risk: Survey

A recent report from the Ponemon Institute underscores the challenges businesses face when they trying to secure user access to data.

According to a survey of 2,276 employees (1,166 IT pros and 1,110 end users) from organizations in the U.S., U.K., France and Germany, 71 percent of end users said they had access to data they should not see, and more than half (54 percent) said this access is either frequent or very frequent.

Some 80 percent of the IT pros said their organization does not enforce a strict least-privilege data model, and only 47 percent of the 1,166 IT professionals said end users in their organizations are taking appropriate steps to protect company data accessed by them. What's more, only 22 percent of both groups felt their organization placed a very high priority on protecting critical information.

"Employees are often left with needlessly excessive data access privileges and loose data-sharing policies," according to the report. "Compounding the risk, organizations are unable to determine what happened to data when it goes missing, indicating a lack of monitoring and further absence of controls. This presents a growing risk for organizations due to both accidental and conscious exposure of sensitive or critical data."

"Data breaches are rampant and increasing," said Dr. Larry Ponemon, chairman and founder of The Ponemon Institute, in a statement. "The sheer growth of both digital information and our dependence on it can overwhelm organizations' attempts to protect their sensitive data. This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences."

Seventy-six percent of end users in the survey, which was sponsored by Varonis, believe there are times when it is acceptable to transfer work documents to their personal devices, while only 13 percent of the IT practitioners agree. In addition, 49 percent of IT practitioners say it is not likely or there is no chance that when documents, files or emails are lost or change unexpectedly, the organization will be able to assess what happened to them. 

"End users choose convenience," according to the report. "The most popular way of sharing company data or files with co-workers is by email. Fifty-six percent of IT practitioners and 52 percent of employees say they prefer email…Both groups also say it is very difficult or difficult to share company data or files with business partners."

"These findings should be a wake-up call to any organization that stores information about its customers, employees or business partners, which means almost any business or institution in today's world," Yaki Faitelson, Varonis Co-Founder and CEO, said in a statement.

"Unnecessary access combined with a lack of auditing capability adds up to inevitable disaster," he added.

view counter