May 25, 2018
Co-Founder and CEO of Varonis, responsible for leading the management, strategic direction and execution of the company.
According to the Identity Theft Resource Center(ITRC), U.S. data breach incidents have been steadily on the rise over the last few years. In 2017, they reached an all-time high of over 1,500 incidents — more than three thefts for each day of the year. Hackers and cyber gangs are unleashing devastating new strains of fast-spreading malware, causingmassive and costly disruptions on a global scale.
At the same time, over the last several years, data security spending has been on a growth trajectory and is expected to reach almost $100 billion worldwide in 2018, according to Gartner. It’s hopeful to think that increased investments in security might lead to fewer reported security incidents, but this will most likely not be the case.
New regulations, like the EU General Data Protection Regulation (GDPR), will require more organizations to both monitor for and report on data breaches. When we shine a light on our dark data, it exposes things we may not want to see — but sometimes things have to get worse before than can get better. Not only should we expect to continue to hear about breaches, we should expect many of these breaches to be very damaging — far more damaging than they need to be.
Do You Know Where Your Sensitive Data Is? Attackers Do
Our recently published Varonis Global Data Risk Report revealed that, on average, 21% of an organization’s folders were accessible to every employee and 41% of companies had at least 1,000 sensitive files open to all employees. Those included unmanaged stale and sensitive data regulated by the Sarbanes-Oxley Act (SOX), the Health Insurance Accountability and Affordability Act (HIPAA), the payment card industry data security standard (PCI), GDPR and other standards – data that can also carry fines and other penalties if exposed or even accessed without proper authorization. The Varonis Global Data Risk Report puts front and center why data-related regulations are being enacted and why boards need to be very concerned: It’s just too easy for insiders and outside attackers that get inside to steal valuable data.
Insiders are already inside, of course, and all they need to do is snoop around and stumble upon one of a thousand unprotected sensitive files. Outside attackers continue to penetrate perimeter defenses with ease.
How Do Attackers Get In?
A favorite opening for outside attackers is phishing mail — an email that appears to be from a legitimate site and contains a link or a direct file attachment. Once clicked by an employee, malware is downloaded to the user’s computer. With the malware acting on commands from a remote site, hackers can effectively access internal resources as if they were that employee.
Aside from phishing, hackers have also been adept at taking advantage of weak passwords, known security holes that remain unpatched and a never-ending supply of new vulnerabilities and exploits. With all these techniques available to the bad guys, it’s easy for an outsider to become an insider and then get access to all that unprotected data.
Why Don’t We See Attacks Sooner?
Unfortunately, most organizations don’t know what’s going on inside their perimeters. In our direct conversations with information technology (IT) executives and chief information security officers (CISOs), we often ask just this type of question: “How would you know if 10,000 files containing sensitive data were corrupted, deleted or accessed?”
It’s surprising to people that haven’t worked in IT, but most organizations aren’t monitoring how these files are used. Without monitoring how files are used, it’s very difficult to detect when they’re being abused. Imagine a credit card company trying to detect fraudulent transactions without being able to monitor charges — that’s a tall order.
Put Your Money Where Your Risk Is
If your organization plans to invest in security, here are some steps that will help make sure you realize value from those investments:
First, assess your risk by taking an inventory of what you need to protect. Identify important, sensitive and regulated data where you most expect it to be, and more importantly, where you least expect it to be. Don’t stop there — you’ll also need to map who has access to it, monitor whether it’s being used (or not) and by whom. You’ll need this combination to decide whether data is needed or not (more than half is probably stale), to see where it’s broadly exposed and to spot abuse.
Second, address the risk. Lock down exposed, sensitive data and make it more difficult for insiders and outside attackers to use an ordinary employee’s security credentials to access troves of credit card or social security numbers. Archive, delete or quarantine stale, unneeded data that’s more beneficial to an attacker’s bottom line than yours.
Third, to minimize your risk footprint, you’ll need an owner or steward to make decisions about your important data: who should get or lose access, what constitutes acceptable use and when it should be deleted. Help owners and stewards make informed decisions with minimized manual effort and you might even decrease risk and increase efficiency at the same time.
Data continues to grow. More breaches are expected. Executive boards have gotten the message and are starting to drive action as new regulations provide more pressure. Organizations that invest intelligently based on risk prioritization will be much better poised for the next wave of cyberattacks than those who choose to hide in the dark.