• Home
• News
  • Business Continuity News
  • Regional news
  • Sector news
  • Events Diary
  • Newsletters
  • Newsfeed
• Jobs
• Topics
  • BC: Facilities & Buildings
  • BC: General
  • BC: Markets & Companies
  • BC: Plan Development
  • BC: Software
  • BC: Statistics
  • BC: Testing & Exercising
  • Crisis Comms & Management
  • Critical Infrastructure Protection
  • Disaster Recovery
  • Emergency Management
  • Enterprise Risk Management
  • Operational Risk Management
  • Pandemic Planning
  • PS Prep
  • Standards
  • Terrorism
• Technology
  • Cloud Computing
  • Data Center / Centre Issues
  • ICT Continuity
  • Information Security
  • Recovery Facilities
• Resources
  • Webinars
  • BC software directory
  • Newsfeed
  • Twitter
  • Advanced BC information
  • Advanced ICT information
  • Basic BC information
  • Basic ICT information
  • How to advertise
  • About us
  • Contact us
  • Privacy
• Newsletters
• Training

WELCOME TO THE CONTINUITY CENTRAL ARCHIVE SITE

Please note that this is a page from a previous version of Continuity Central and is no longer being updated.

To see the latest business continuity news, jobs and information click here.

Badly managed access rights put critical data at risk

Despite a growing number of data breaches occurring under the glare of the public spotlight, 71 percent of employees in a new survey report that they have access to data they should not see, and more than half say that this access is frequent or very frequent.

As attention shifts from sophisticated external attacks to the role that internal vulnerability and negligence often play, a new survey commissioned by Varonis Systems, Inc. and conducted by the Ponemon Institute suggests that most organizations are having difficulty balancing the need for improved security with employee productivity demands. Employees with needlessly excessive data access privileges represent a growing risk for organizations due to both accidental and conscious exposure of sensitive or critical data.

The survey report, ‘Corporate Data: A Protected Asset or a Ticking Time Bomb?’ is derived from interviews conducted in October 2014 with 2,276 employees in the United States, United Kingdom, France, and Germany.

Respondents included 1,166 IT practitioners and 1,110 end users in organizations ranging in size from dozens to tens of thousands of employees, in a variety of industries.

Both IT practitioners and end users are witnessing a lack of control over employee access and use of company data, and the two groups generally concur that their organizations would overlook security risks before they would sacrifice productivity. Only 22 percent of employees surveyed believe their organizations as a whole place a very high priority on the protection of company data, and less than half of employees believe their organizations strictly enforce security policies related to use of and access to company data. Further, the proliferation of business data is already negatively impacting productivity: making it harder for employees to find data they truly need and should be able to access, and to share appropriate data with customers, vendors and business partners.

Other key findings on control and oversight include:

• 71 percent of end users say that they have access to company data they should not be able to see;
• 54 percent of those end users who have access they shouldn’t characterize that access as frequent or very frequent;
• 4 in 5 IT practitioners (80 percent) say their organizations don't enforce a strict least-privilege (or need-to-know) data model;
• Only 22 percent of employees say their organization is able to tell them what happened to lost data, files or emails;
• 48 percent of IT practitioners say they either permit end users to use public cloud file sync services or permission is not required;
• 73 percent of end users believe the growth of emails, presentations, multimedia files and other types of company data has very significantly or significantly affected their ability to find and access data;
• 43 percent of end users say it takes weeks, months or longer to be granted access to data they request access to in order to do their jobs, and only 22 percent report that access is typically granted within minutes or hours;
• 60 percent of IT practitioners say it is very difficult or difficult for employees to search and find company data or files they or their co-workers have created that isn’t stored on their own computers;
• 68 percent of end users say it is difficult or very difficult to share appropriate data or files with business partners such as customers or vendors.

Uncovering internal vulnerability

The survey findings show that both IT practitioners and end users agree that the compromise of employee accounts that can lead to external data breaches are most likely to be caused by insiders with too much access who are frequently unaware of the risks that they present. 50 percent of end users and 74 percent of IT practitioners believe that insider mistakes, negligence or malice are frequently or very frequently the cause of leakage of company data. And only 47 percent of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access. When permissions management and auditing capabilities are not in place, employees’ excessive access to data and their negligence for security are increasingly putting company data at risk.

Other key findings on root causes of data breaches include:

• 76 percent of end users say their job requires them to access and use proprietary information such as customer data, employee records, financial reports, and confidential business documents;
• 38 percent of end users report that they and their co-workers can see ‘a lot of data’ that they believe they should not have access to;
• Only 47 percent of IT professionals say end users in their organizations are taking appropriate steps to protect company data accessed by them;
• 76 percent of end users believe there are times when it is acceptable to transfer work documents to their personal devices, while only 13 percent of IT practitioners agree;
• 49 percent of IT practitioners say it is not likely or there is no chance that when documents, files or emails are lost or change unexpectedly, the organization will be able to assess what happened to them;
• 67 percent of IT practitioners say their organization experienced the loss or theft of company data over the past two years, while only 44 percent of end users believe this has happened.

For a full copy of the study, click here.

•Date: 10th December 2014 • Various •Type: Article • Topic: ISM

Sign up for Continuity Briefing, our weekly roundup of business continuity news. For news as it happens, subscribe to Continuity Central on Twitter.