New Ponemon Study: Insiders Have Too Much Access to Sensitive Data
A new Ponemon Institute survey, sponsored by Varonis Systems (press release here) examined corporate internal data protection practices as seen by 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees, in a variety of industries including financial services, public sector, health & pharmaceutical, retail, industrial, and technology and software. The survey covered employees in the US, UK, Germany and France. According to Dr. Larry Ponemon, founder and Chairman of the Institute,
Data breaches are rampant and increasing. The sheer growth of both digital information and our dependence on it can overwhelm organizations’ attempts to protect their sensitive data. This research surfaces an important factor that is often overlooked: employees commonly have too much access to data, beyond what they need to do their jobs, and when that access is not tracked or audited, an attack that gains access to employee accounts can have devastating consequences. (emphasis added).
That last thought isn’t new — we’ve seen the impact in some of the more spectacular data breaches, but when you couple that thought with the statistics in this report, which demonstrate that in the struggle to balance security with productivity, security is largely losing. Insiders generally have much more access than they really need to do their jobs and that puts the enterprise at great risk.
In our writing and webcasts, we stress the importance of good data governance to protecting corporate information. Employees can only lose data to which they have access, and strict audit and control of that access goes a long way to reducing the impact of compromised users. The infographic from the study shows how far we have yet to go. Full report here and here.
About Andy Sherman
Andy Sherman, Eden Technologies’ security practice lead has a PhD in physics from Rensselaer Polytechnic Institute and started his career in the academic world. He then went to AT&T Bell Laboratories where he discovered the power – and hazards – of large distributed computer networks. It was also at Bell Labs, during the early days of the Internet, that Andy became interested in the security problems associated with public networks. From Bell Labs Andy moved to the financial services industry. There he worked on a large range of infrastructure design, deployment, and management projects, but is best known for his 15+ years in information and technology security.