Nearly a year after GDPR was enacted, the average company has more than half a million sensitive files stored–17% of which are accessible to every employee, according to a Monday report from Varonis.

The report examined more than 700 data risk assessments performed by Varonis engineers to determine the prevalence and severity of exposed sensitive files. More than half of companies found more than 1,000 sensitive files accessible to every employee. Some 22% of all folders were open to everyone in the company, and 51% of companies found more than 100,000 folders open to every employee.

SEE: IT pro’s guide to GDPR compliance (free PDF) (TechRepublic)

Businesses store millions of files in folders and sites in both the cloud and on-premise, the report noted. However, because many of these folders and sites aren’t properly secured, the sensitive files inside are left open to view by many employees. That means it would only take one employee being compromised to lead to a data breach, the report noted.

Corporate global access groups like Everyone, Domain Users, or Authenticated Users also give insiders and outside hackers that make it into the network easy access to files, the report noted.

“Globally accessible data puts organizations at risk from insiders, malware and ransomware attacks: it takes just one click on a phishing email to set off a chain reaction that encrypts or destroys all accessible files,” according to the report.

Companies also struggle with keeping data up to date, the report found: 53% of all data examined, on average, was stale. And 58% of companies found more than 1,000 stale user accounts.

For more information, check out 5 data protection policies your employees must know in the post-GDPR era on TechRepublic.