Building a slide deck, pitch, or presentation? Here are the big takeaways:

  • Varonis found that 46% of the companies they surveyed had over 1,000 stale, but enabled, users in their system.
  • On average, only 3% of a company’s files are protected, according to a Varonis Systems report.

A data security and analytics firm released a troubling report Wednesday about the lack of security in most corporate networks, illustrating massive gaps in protection that hackers have taken advantage of in recent years.

The 2018 Global Data Risk Report from Varonis Systems highlights the need for better security awareness. The company conducted data risk assessments for 130 organizations and government entities in more than 50 countries. The organizations represent a wide cross-section of industries including healthcare, insurance, finance, retail, education and more. No matter the size of the company, its industry, or location, one thing was a constant: Overexposed data remains a major risk, the report noted.

“Organizations often fail to pay close attention to what goes on before a data breach: the early warning signs that point to failures in data protection that allow attackers unfettered access to important information once they’ve breached a corporate network,” Varonis wrote in the report. “Mapping the millions of unprotected files and folders within an organization serves as a data SOS that inspires action before the next major breach occurs – it’s a signal that cannot be ignored.”

SEE: Information security incident reporting policy (Tech Pro Research)

The company compiled information on all of the assessments they did in 2017 and found worrying trends concerning the amount of sensitive data exposed in an average network and the amount of defunct user accounts allowed access to entire systems.

According to Varonis, 41% of organizations had more than 1,000 sensitive files open to every employee, with data such as “credit card information, health records, or personal information subject to regulations like GDPR, HIPAA and PCI” readily available to anyone with access to the system.

Varonis examined over 6 billion files, more than double their amount from last year, and warned that new laws like the EU’s General Data Protection Regulation (GDPR) make it imperative that organizations gain firmer control of their networks and secure systems in an way that limits their exposure to cyberattacks.

“Globally accessible data puts organizations at risk from malware and ransomware attacks: it takes just one click on a phishing email to set off a chain reaction that encrypts or destroys all accessible files,” Varonis noted in the repot. “Regulations like the EU General Data Protection Regulation (GDPR) set the stage to penalize companies that fail to protect personal information that often resides in unsecured files and folders.”

The data security firm said a number of issues are plaguing the security of most networks. Companies, Varonis wrote, must stop giving global access to all of their employees and make sure to cancel the accounts of anyone who no longer works there.

Some 65% of companies had more than 1,000 stale user accounts with wide-ranging access to systems and 46% had over 1,000 enabled but stale user accounts. Varonis called these stale but enabled user accounts “an unnecessary security risk” and added that “most attackers target data, but they reach their target by hijacking accounts.”

One solution Varonis suggested was to improve file access requirements as people are hired, fired, and moved within the company. According to the report, 57% of companies had 1,000 or more files with inconsistent permissions. On average, only 3% of a company’s files were protected in some way, the report said.

Companies should also regularly force their employees to change passwords. The report noted that 65% of companies had more than 500 users with passwords that would never expire, giving hackers “a large window to crack them using brute force. Once breached, they provide indefinite access to data.”

Half of the people surveyed for the report said they only changed their passwords when they forgot them, and only 1 in 5 did it in response to the near-constant stream of stories about companies suffering from a hack.

“It only takes one leaked sensitive file to cause a headline-making data breach,” Varonis Technical Evangelist Brian Vecci said in a press release. “And we’re seeing hundreds of thousands of exposed sensitive folders in our risk assessments. Executives and board members are starting to understand how much of their data is at risk, and they need to know these exposed folders can be fixed. We’ve seen how one unpatched server can lead to a disaster; a single ‘unpatched’ folder can be just as disastrous, and it doesn’t take an expert or sophisticated code to exploit it.”