A recent study conducted by Varonis has revealed new employees are given excessive permissions and can access a huge amount of company data from their first day on the job. The study was conducted on 56 companies in the financial services and Varonis analyzed a dataset of around 4 billion files.
The study revealed employees have access to an average of 10.8 million files as soon as they join the company, with the number rising to around 20 million files in larger companies. On average, a new employee was given access to around 20,000 folders, with 64% of companies in the financial services giving employees access to more than 1,000 files containing sensitive information. In large companies, around 1.3 million files are open to everyone, 778,045 in medium-sized companies, and 101,717 in smaller companies.
In addition to the threat of insider theft, a malware infection on an employee’s computer could give the attacker access to a huge amount of sensitive data and a ransomware attack would result in widespread file encryption. The problem has become even greater during the pandemic with so many employees having to work from home. To allow employees to work effectively from home, companies have had to increase their use of the cloud and the speed at which changes needed to be made meant companies have had to mobilize without implementing the necessary security controls. The problem is not limited to the financial services. Companies in other sectors also had to rapidly adopt cloud computing without adequate preparation.
A detailed analysis of the data exposed to employees showed office-based and remote workers had excessive rights over data and could view, copy, move, and change data. Around 20% of the files contained sensitive employee and customer data. In addition to the risk of data theft, companies are potentially in violation of industry regulations such as PCI, SOX, and GDPR for failing to lockdown their data.
Securing data and restricting access is a major challenge or IT teams and an incredibly time-consuming task. “It takes IT professionals an estimated 6–8 hours per folder to locate and manually remove global access, meaning it would take years to remediate these folders manually,” explained Varonis in the report. The only way to ensure the problem is addressed is through automation.
Varonis also identified vulnerabilities that make it easier for threat actors to gain access to this data. Poor password hygiene is common, with 59% of companies in the financial services having an average of 500 passwords that never expire, which makes them vulnerable to brute force attacks. Varonis also found that 71% of folders have unresolved SIDs. Only through automation will companies stand a chance of finding and addressing these security vulnerabilities.