Data lock

IT and end users are far apart on critical data access

Pro
Image: Stockfresh

15 December 2014

When it comes to protecting sensitive data, there is a big gap between what IT departments think is happening with their customers and what end users are actually doing, says a new study released by the Ponemon Institute.

For example, 32% of IT professionals surveyed said that end users sometimes have more access privileges than they need to do their jobs. Meanwhile, a whopping 71% of end users said that they have access to company data that they should not be seeing.

“It means the provisioning systems aren’t working in the organisation,” said Larry Ponemon, chairman and founder at Traverse City, MI-based Ponemon Institute, LLC.

Companies also have difficulties keeping files from being shared, so that critical data could be copied and stored in a hundred different places

Over-provisioning exacerbates every other security problem that a company might have. Cybercriminals that use spearphishing to get into an organisation have much better odds of hitting someone with valuable access, he said, or being able to move laterally from one system to another.

“All it takes is one employee who falls victim to a spearphishing attack and the bad guys can figure out everything else,” he said. “If we had proper credentialing, it would be harder to get to the end user with the right credentials. It would still be possible, but it would be harder.”

The other side of the coin is data itself. Although 73% of IT respondents said that data protection is a top priority for their department, 49% said that if files are changed or deleted unexpectedly they are not likely to know what happened.

Companies also have difficulties keeping files from being shared, so that critical data could be copied and stored in a hundred different places.

According to the survey, 76% of end users say there are times when it is acceptable to transfer work documents to personal computers, tablets, smart phones, or to the cloud. By comparison, only 13% of IT professionals agree.

“They seem to be out of touch with what most of the end users are doing,” Ponemon said.

In fact, 43% of end users said they used services such as Dropbox, and 42 said they used file share services, while IT respondents thought only 29 and 26% did, respectively.

“Keeping up with the volume and velocity of information is very difficult for companies,” said Ponemon. “Sony is a great example of the challenges that organisations have.”

The recent breach at Sony also shed light on many other practices at the company that helped make them more vulnerable.

“They had a file labelled ‘passwords’ that contained passwords and login credentials of employees,” Ponemon said.

Hackers were also able to find tokens and certificates, as well as access credentials to databases, routers and switches around the world, according to recent news reports.

“It’s pretty clear that they weren’t understanding where their sensitive assets were,” said David Gibson, spokesman at Varonis Systems, Inc., which makes software to manage and secure unstructured data. Varonis was the sponsor of the Ponemon survey.

“Sensitive data wasn’t identified, wasn’t locked down appropriately, and I don’t believe the use of that data was being monitored,” he said. “There are some critical controls missing that would have made the hacking a lot harder.”

But while criminals can be very good at finding the information they need within corporate systems, legitimate employees are actually drowning in data.

Sixty three percent of end users said it is difficult or very difficult to find files on corporate networks — and here, 60% of IT respondents agreed.

 

Maria Korolov, IDG News Service

Read More:


Back to Top ↑

TechCentral.ie