According to the results of a recent survey of 3,027 employees in the U.S., U.K., France and Germany (1,371 end users and 1,656 IT professionals), fully 62 percent of end users acknowledged that they have access to company data they probably shouldn’t be able to see.
The study, conducted by the Ponemon Institute and sponsored by Varonis Systems, also found that 76 percent of IT pros said their organization had experienced the loss or theft of company data over the past two years, a significant increase from 67 percent who gave the same response in a 2014 study.
Eighty-eight percent of end users said their jobs require them to access and use proprietary information such as customer data, contact lists, employee records, confidential business documents, or other sensitive data. Just 29 percent of IT professionals said their organizations enforce a least-privilege model to ensure that insiders only have access to company data on a need-to-know basis.
The survey also found that 78 percent of IT professionals are very concerned about ransomware. Fifteen percent of organizations have been hit by ransomware, and fewer than half of those detected the attack within the first 24 hours.
Only 25 percent of organizations monitor all employee and third-party email and file activity — 38 percent don’t monitor any file or email activity at all, and 35 percent of organizations have no searchable records of file system activity, leaving them unable to determine which files may have been encrypted by ransomware.
“Despite all the technology available and the spike in highly publicized attacks, data breaches continue to rise,” Ponemon Insitute chairman and founder Dr. Larry Ponemon said in a statement. “The most valuable data featured in most breaches is unstructured data such as emails and documents. When emails and files are surfaced, they tend to cause scandal, forcing the breach to have a lasting effect on the company’s reputation.”
“This survey raises key points as to why hackers are able to maximize impact — too many employees have too much access, beyond what they need to do their jobs,” Ponemon added. “On top of this, when employees access valuable data and their activity is not tracked or audited, it becomes far too easy for an external hacker or a rogue insider to get away unnoticed.”
A separate Bluelock survey of 228 C-level executives and IT professionals recently found that no executives surveyed rated the protection of their business against technology-related disruptions as extremely important, while 60 percent of IT pros did.
While 85 percent of C-level executives surveyed believe that top executives have a high awareness of current disaster recovery plans and ability to recover, just 51 percent of IT pros feel the same way.
Similarly, while 73 percent of executives have high confidence in their ability to recover systems within time objectives, just 45 percent of IT pros feel the same. And while 34 percent of executive described their organization’s funding for disaster recovery as “very good,” just 19 percent of IT pros did the same.
Among all respondents, the most common reason for not investing in disaster recovery was because of “more pressing priorities.”
A recent eSecurity Planet article examined three ways to mitigate insider risk.