Many companies are letting the exposure of sensitive data directly impact sensitive files exposed to the majority of employees, without proper access control, as well as keeping user accounts inactive and not changing passwords regularly.
This information was pointed out in the Data Gets Personal: 2019 Global Data Risk Report survey carried out by Varonis Data Lab in several different countries, including Brazil.
By focusing on keeping cybercriminals at bay, many companies have paid little or no attention to exposing sensitive data. After all, in many cases, important information and folders are freely accessible to all employees and are not monitored.
It’s a bit like having several ways to prevent your house from being broken into, but leaving a safe full and open in the middle of the living room. If someone passes, they’ll get a present.
These problems will have to be analyzed by companies, since it’s not just about security. After all, in addition to the risks in this regard, with the LGPD about to come into force, this type of case could lead to fines for non-compliance.
But we’ll go into this subject in more detail later in this article.
High exposure of sensitive data
The study analyzed 54 billion documents from 785 companies in 30 industries and 30 different countries. It was discovered that 53% of the organizations analyzed had more than 1000 sensitive files exposed to all employees.
To give you an idea, on average each employee had access to 17 million files.
It’s not just files, but document folders also get a lot of exposure. 51% of the companies analyzed had more than 100,000 folders open to all employees.
Beyond the numbers
Sensitive data with open access to many (or all) employees represents a high risk for companies. There are various ways in which cybercriminals try to get at sensitive company information.
If an employee is phished, for example, this could cause extensive damage to the company by exposing the organization’s sensitive data. We even recently reported on cases of phishing that caused extensive damage.
These problems are not difficult to solve. Simply manage access to files and folders, especially those containing data such as confidential information on employees, clients, partners and projects.
In addition, the use of cryptography, together with good governance of cryptographic keys, is very important for keeping information secure.
That way, if something does leak, whoever gets hold of the file won’t be able to access the data it contains.
Inactive users who don’t log out and passwords that don’t change
Another finding of the study is that inactive user accounts are not deleted. 58% of companies found accounts with more than 1000 inactive users.
In general, these are people who have left the company for some reason, but their access to computers and systems still exists. In addition, more than a third of employees had passwords that never expire.
Cybercriminals are the ones to thank for this. Although they are looking for valuable data, they need a way to get to that information and accounts that are sitting unused become a good option for hacking.
Passwords that don’t change are easier to crack by brute force and when that happens, these accounts become an excellent gateway for a long time.
Sensitive information working overtime when sensitive data is exposed
Generally, sensitive data stored by a company is needed for a certain period of time in order to meet usage needs or legal issues, but then it must be deleted.
It’s like discarding a credit card after it expires. When important data is no longer needed, there is no reason to continue storing it.
Keeping them is taking an unnecessary risk.
However, 72% of the file folders analyzed contained old information that should have already been deleted. In addition, 53% of the total data was old and should no longer be in the possession of companies.
Add these findings to the fact that most companies were working with permissions to more folders than they can manage and, to use a popular expression, we have a scenario with a lot of important information lying around.
Compliance and LGPD
The report mentions that “highly exposed data represents a major risk for organizations regardless of size, area or location”.
Apart from the main laws on the use of confidential and sensitive data, such as GDPR and LGPD, this widespread exposure of sensitive information can lead to legal problems for companies through other legislation.
The LGPD has clear sections on data anonymization, as well as liability and access registration, but here we highlight article 46.
It states that “processing agents must adopt security, technical and administrative measures capable of protecting personal data from unauthorized access and from accidental or un lawful destruction, loss, alteration, communication or any form of improper or unlawful processing”.
In short, not just anyone can have access and even “accidental situations” must be taken care of.
Progress must be made on the challenge of exposing sensitive data
The study also found that only 5% of folders were protected. So there is an important road ahead.
In cases such as those mentioned in this article, it is necessary to change the culture regarding data storage and security measures.
You can’t be left behind by cybercriminals or out of compliance with the law.
EVAL has been developing projects in the financial, health, education, and industry segments for over 18 years. Since 2004, we have offered solutions for Authentication, Electronic and Digital Signature, and Data Protection. Currently, we are present in the main Brazilian banks, health institutions, schools and universities, and different industries.
With value recognized by the market, EVAL’s solutions and services meet the highest regulatory standards of public and private organizations, such as SBIS, ITI, PCI DSS, and LGPD. In practice, we promote information security and compliance, increase companies’ operational efficiency, and reduce costs.
Innovate now, lead always: get to know Eval’s solutions and services and take your company to the next level.
Eval, safety is value.