According to the Varonis Systems, in many of the data breaches reported in recent weeks, members of staff and/or contractors were able to delete or download thousands of files without raising concerns, because often no one was able to determine what sensitive data they had access to - and secure that data - before any information could be stolen.
There was, says Varonis, no auditing of the data or alerts being issued on anomalous behaviour as regards to access to the data within the organisations concerned.
David Gibson, the firm's director of technical marketing, says these recent attacks and breaches demonstrate how critical it is that organisations be able to answer questions such as: who has and should have access to data; who is using their access; who is abusing their access; who owns the data; and what data is sensitive?
Much of the data accessed and leaked in recent breaches, he notes, was composed of unstructured or semi-structured data - documents, spreadsheets, images, presentations, video and more - that resided on file shares accessible throughout the organisation concerned.
According to Varonis, more than half of the files and data that employees can access within any organisation are not relevant to them, with stale and excessive permissions rarely revoked.
In many cases, says Varonis Systems, an organisation’s data is open to global access groups - effectively everyone on the system - with no reliable way of remediating access without impacting the business via traditional processes.
Furthermore, the firm adds, more than half of the data on file systems, NAS devices, SharePoint sites and email systems lacks an owner - something that Gibson says represents a profound failure when it comes to basic management and protection of data.
Against this backdrop, Gibson argues that organisations must ensure that controls are in place to mitigate the risks of data leakage, theft and loss arising from excessive access rights and permissions and non-existent audit trails.
Automated data governance, he says, is fundamental in securing an organisation's intellectual property and competitive edge. Manual permissions and group changes are unreliable and often error-prone.
In many cases, he adds, the IT group is unable to reliably identify business owners of data sets or involve data owners in the governance process.
Determining who has access to a data set, which folders a user or group can access and identifying unneeded permissions can be a challenge, and often IT is completely unable to answer questions such as, “Who accessed or deleted my data?"