Corporate file systems have 'staggering level of exposure'

A year of anonymous data from risk assessments of corporate file systems reveals that many companies are failing to use permissions to limit access to sensitive data.

New data released yesterday by Varonis Systems, a specialist in insider threat protection, illuminates one reason so many companies are easy prey for cyberattackers: They fail to use permissions to limit access to valuable data.

Using anonymous data collected from the risk assessments it conducted for potential customers in 2015, Varonis says it found a "staggering level of exposure" in corporate systems, including an average of 9.9 million files per assessment that were accessible by every employee in the company.

Varonis used data from dozens of customer risk assessments of mid-to-large enterprises. In a subset of each company's file systems, Varonis found the average company had the following:

  • 35.3 million files, stored in four million folders, meaning the average folder has 8.8 files.
  • 1.1 million folders, or an average of 28 percent of all folders, with "everyone" group permission enabled, open to all network users.
  • 9.9 million files that were accessible by every employee in the company regardless of their roles.
  • 2.8 million folders, or 70 percent of all folders, that contained "stale data" that had been untouched for the past six months.
  • 25,000 user accounts, with 7,700 of them (31 percent) stale — having not logged in for the past 60 days, suggesting former employees, employees who changed roles or consultants and contractors whose engagements had ended.

The company notes that the "everyone" group is a common convenience for permissions when originally set up, but such mass access makes it very easy for attackers to steal company data.

Some of the individual lowlights Varonis discovered include the following:

  • One company in which every employee had access to 82 percent of its 6.1 million total folders.
  • Another company which had more than two million files containing sensitive data (credit card, social security or account numbers) that everyone in the company could access.
  • Yet another company in which 50 percent of the company's folders had "everyone" group permission, and more than 14,000 files in those folders were found to contain sensitive data.
  • Still another company that had more than 146,000 stale users — nearly three times more users than the average Fortune 500 company has total employees.

"Although this data presents a bleak look at the average enterprise's corporate file system environment, the organizations running these risk assessments are taking these challenges seriously," David Gibson, vice president of Strategy and Market Development at Varonis, said in a statement yesterday.

He notes that many of them went on to implement Varonis' platform in an effort to remediate their file system issues.

Varonis put together the infographic belows based on its findings.

varonis risk assessment stories

(Click for larger image.)

Join the CSO newsletter!

Error: Please check your email address.

More about ClickVaronis

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Thor Olavsrud

Latest Videos

  • 150x50

    CSO Webinar: Will your data protection strategy be enough when disaster strikes?

    Speakers: - Paul O’Connor, Engagement leader - Performance Audit Group, Victorian Auditor-General’s Office (VAGO) - Nigel Phair, Managing Director, Centre for Internet Safety - Joshua Stenhouse, Technical Evangelist, Zerto - Anthony Caruana, CSO MC & Moderator

    Play Video

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

More videos

Blog Posts

Market Place