As the enterprise increasingly requires employees to have more access than ever to sensitive and proprietary information, improvements to how well companies enforce access policies and track employee use of files are still slow on the uptake. According to a new study out by Ponemon Institute, the rate at which employee access is expanding outstrips the rate at which least privilege and other policy enforcements are gaining steam.
Sponsored by Varonis, the study queried over 3,000 employees in US and European organizations, approximately half from line-of-business roles and half from IT roles, to examine practices and attitudes about insider behavior with regard to sensitive data. Trends were also tracked against a similar study from 2014 to see how things have changed in the past two years.
Ponemon showed that the amount of access and use of proprietary information is on the rise --the number of employees who reported their job requires such access increased by 12 points to 88% this year. In the good news category, the percent of end users who report they have access to data they probably shouldn't see has decreased from 71% down to 62%. However, that's still a high number and shows there's still lots of room for improvement.
"This survey raises key points as to why hackers are able to maximize impact — too many employees have too much access, beyond what they need to do their jobs," says Dr. Larry Ponemon, author of the report and chairman and founder of Ponemon Institute. "On top of this, when employees access valuable data and their activity is not tracked or audited, it becomes far too easy for an external hacker or a rogue insider to get away unnoticed."
According to the study, 76% of organizations have experienced the loss or theft of company data over the past two years, a number rising since 2014. About three of four IT practitioners say that either negligent or malicious employees or contractors are the most likely to compromise accounts within their organizations and 55% say that their biggest worry is negligent insiders.
IT practitioners report that only about 29% of organizations fully enforce a least-privilege model of access control. That's up by nine points, but it shows that two-thirds of organizations are still lax with their controls. In fact, over one-quarter of organizations still do not enforce least-privilege at all. Meanwhile, when it comes to keeping on-going tabs on access activity, over half of organizations report that they review access to file shares or other collaborative data stores only annually or not at all. Additionally, a full 35% of organizations do not maintain a searchable record of file system activity.
All of this makes it difficult for companies to quickly detect employees or employee accounts accessing files and emails they're not authorized to see. About 57% of organizations take a week or longer to do so.