Of 35.3 million files collected during risk assessments, 1.1 million has “everyone” group permission enabled.
According to data collected by Varonis during 2015, there are 35.3 million files stored in four million folders, meaning the average folder has 8.8 files. however 1.1 million folders, or an average of 28% of all folders, has “everyone” group permission enabled (open to all network users),while 9.9 million files were accessible by every employee in the company regardless of their roles.
David Gibson, Vice President of Strategy and Market Development at Varonis, said: “Although this data presents a bleak look at the average enterprise’s corporate file system environment, the organizations running these risk assessments are taking these challenges seriously.
“Most of them have since implemented Varonis, embracing a more holistic view of the data on their file and email systems and closing these gaping, often unseen security holes before the next major breach causes heavy damage.”
The data found that in one company, every employee had access to 82% of the 6.1 million total folders. Another company had more than two million files containing sensitive data (credit card, social security or account numbers) that everyone in the company could access.
In an email to Infosecurity, Matt Middleton-Leal, regional director, UK & Ireland at CyberArk, said that the findings are unsurprising, but remain a cause for concern.
“Our own recent research into real-world networks’ exposure to credential theft attacks and network compromise, has found that on average, 40% of network machines could provide attackers with credentials enabling them to start accessing files, folders and system configuration settings across an organization’s entire network,” he said.
“Enterprises must approach security from within, ensuring that all accounts and credentials are locked down, with access strictly managed and monitored in real-time. In our experience, enterprises often significantly underestimate the scale of their insider threat; with privileged accounts commonly outnumbering the headcount by three to four times.
“The fact is that employees or third-party contractors with privileged access have the greatest power to access sensitive information and interact with the IT infrastructure, which means that protecting these accounts and credentials must be a top priority.”