by Thor Olavsrud

Corporate file systems have ‘staggering level of exposure’

Mar 22, 2016
IT StrategyPhysical SecurityRisk Management

A year of anonymous data from risk assessments of corporate file systems reveals that many companies are failing to use permissions to limit access to sensitive data.

New data released yesterday by Varonis Systems, a specialist in insider threat protection, illuminates one reason so many companies are easy prey for cyberattackers: They fail to use permissions to limit access to valuable data.

Using anonymous data collected from the risk assessments it conducted for potential customers in 2015, Varonis says it found a “staggering level of exposure” in corporate systems, including an average of 9.9 million files per assessment that were accessible by every employee in the company.

Varonis used data from dozens of customer risk assessments of mid-to-large enterprises. In a subset of each company’s file systems, Varonis found the average company had the following:

  • 35.3 million files, stored in four million folders, meaning the average folder has 8.8 files.
  • 1.1 million folders, or an average of 28 percent of all folders, with “everyone” group permission enabled, open to all network users.
  • 9.9 million files that were accessible by every employee in the company regardless of their roles.
  • 2.8 million folders, or 70 percent of all folders, that contained “stale data” that had been untouched for the past six months.
  • 25,000 user accounts, with 7,700 of them (31 percent) stale — having not logged in for the past 60 days, suggesting former employees, employees who changed roles or consultants and contractors whose engagements had ended.

The company notes that the “everyone” group is a common convenience for permissions when originally set up, but such mass access makes it very easy for attackers to steal company data.

Some of the individual lowlights Varonis discovered include the following:

  • One company in which every employee had access to 82 percent of its 6.1 million total folders.
  • Another company which had more than two million files containing sensitive data (credit card, social security or account numbers) that everyone in the company could access.
  • Yet another company in which 50 percent of the company’s folders had “everyone” group permission, and more than 14,000 files in those folders were found to contain sensitive data.
  • Still another company that had more than 146,000 stale users — nearly three times more users than the average Fortune 500 company has total employees.

“Although this data presents a bleak look at the average enterprise’s corporate file system environment, the organizations running these risk assessments are taking these challenges seriously,” David Gibson, vice president of Strategy and Market Development at Varonis, said in a statement yesterday.

He notes that many of them went on to implement Varonis’ platform in an effort to remediate their file system issues.

Varonis put together the infographic belows based on its findings.

varonis risk assessment stories

(Click for larger image.)