A third of respondents who took part in a recent survey indicated they are very confident that data stored within their organisation is adequately protected, while 60% of respondents are somewhat confident.
"Our data has immense value to us and to others. If it's lost, stolen by an insider, or locked down by an attack, organisations can lose time, money, or worse. Patient records, financial information, intellectual property - all of this very sensitive data poses a risk to any organisation," says Louis de Kock, South Africa Country Business Development, Varonis Systems, commenting on the ITWeb/Varonis 2017 Data Governance survey, which ran online during March this year.
De Kock says we are creating and using so much critical data that many organisations don't even have a clear picture of how much they have and where it all is.
"I'm not surprised one third of respondents are very confident that their data is adequately stored, but I would guess that even within that segment there will be many surprised by how much personally identifiable information and other sensitive data makes its way out of safely secured databases and into documents and spreadsheet."
De Kock points out that when we have no idea where important data is and how it's being used; we're left in the dark when something goes wrong.
"Data breach, insider attack or ransomware. Damage to reputation and revenue and hefty regulatory fines await those who do not adequately protect the data they are entrusted to keep."
Who is accessing sensitive data?
Eighteen percent of respondents indicated that all actual access activity on file shares is currently being monitored, whereas a third of respondents said they monitor most access activity.
"While it may be obvious to monitor sensitive and regulated data, it also makes sense to monitor the rest of your data. Non-regulated data does have value and purpose and would certainly impede productivity if it were stolen, abused or hijacked by ransomware. Way too much data - sensitive or otherwise - is just too accessible to every employee," advises De Kock.
"You can't catch what you can't see, and if that much data is over exposed, then it's at risk for an attack."
Empowering data owners increases security
The results were pretty much evenly split when respondents were asked if they have owners assigned to folders/directories, with 36% citing they do for most data and a third citing owners for all data.
"It's critical to get the business involved in the business of data governance. The data owners will know for certain who should and should not have access to certain data; they are also the first to call IT when that data is deleted, modified without their consent or encrypted - so they need to be involved to attest who should access their files.
Empowering data owners to review access rights removes the guesswork from IT and, with regular attestations, increases the data's security.
Exactly half (50%) of respondents said that data/group owners do review permissions to their folders, however 22% said they do not.
Elaborating on this key finding, De Kock points out that permissions to data should be reviewed according to the regulation that governs that data or at a minimum every three to six months for unregulated data.
"Permissions hygiene has a tendency to erode over time as people move around within an organisation, request permission to folders for short-term projects or leave the company; therefore, regular reviews are important.
"Achieving a gold standard in shared data security doesn't have to be laborious, many times the solution can be automated, prompting entitlement reviews with system generated recommendations based on access history and user profiling," says De Kock.
Just over half (53%) of respondents stated that they review this access more than twice a year, while only 5% stated less than once a year.
According to De Kock, people change roles, so permission creep happens as they move, giving them more access than they need to do their job.
"Regular review of data access rights and monitoring of that access should be a part of any data governance plan."
It also emerged from the survey that an overwhelming majority of 74% stated they do not use automation to identify sensitive data.
"We no longer talk about data in terms of gigabytes but petabytes, so keeping up with the growth of sensitive data within an organisation without an automated solution is a time consuming, costly and error prone task."
De Kock goes on to say that when regulations like PoPI are in place, sensitive data must be identified and locked down.
"There is no room for 'oops, I didn't see it' with these new strict data privacy regulations.
When respondent were asked if they currently have a PoPI project/initiative under way to assist with compliance readiness, a third said yes they do, 27% said they do not and 24% are in the planning stage of PoPI readiness.
"Data privacy is no longer a good thing to do to protect your reputation with customers - it's the law. As soon as the commencement date is announced, organisations will have one year in which to comply - that's not a lot of time if you're the average company with thousands of folders of data."
According to de Kock, personal data creeps out of databases and makes its way into spreadsheets and other documents.
"Organisations must ensure the privacy and safe disposal of personally identifiable information they hold, and it starts with identifying where this data lives on your network, who has access, removing unnecessary access rights and monitoring and alerting on unusual behaviour. Finding, flagging and removing or protecting this data is time-consuming without the right solutions or resources."
The big takeaway from the Data Governance Survey, says De Kock, should be that organisations simply don't know where their most sensitive data lives across their files shares and cloud environments; who is accessing it and what they are doing with that access.
"For PoPI, the clock starts ticking as soon as the commencement date is announced, they need to start today to incorporate the day-to-day security requirements of the PoPI into their everyday business and IT processes," he concludes.
Share