8/2/2019 The State of Data Protection Research Report
1/17
Contents
Executive Summary.................................................................... 2
Methodology ............................................................................... 2
Findings ...................................................................................... 3
Data Protection Condence........................................................ 4
Data Protection Activities ............................................................6
How Condence Correlates with Action ..................................... 8
Contrast: The Very Condent and the Not Condent at All ........ 9
IT Security Responses ..............................................................11
Conclusions and Recommendations ........................................ 12
Appendix 1: Scoring Methodology ............................................ 13
Appendix 2: Responses regardless of condence level........... 15
Te Stte f Dt Prtet:Reser Reprt
8/2/2019 The State of Data Protection Research Report
2/17
THE STATE OF DATA PROTECTION: RESEARCH REPORT
ExEcuTivE SummaRy
Over the past year we have witnessed continuing accelerated growth of data, numerous data breaches and
the introduction of legislation that mandates new data protection measures. Varonis Systems set out to explore
organizational adoption of current data protection practices and condence levels, and whether variance in protection
practices correlated with variance in condence levels by IT professionals.
The results of our survey show that while 80% of organizations store data that belongs to their customers, clients,
vendors, or business partners (third party data), only 30% of those organizations describe themselves as very condent
that the data stored in their organization is protected. Those that do not store third party data fare even worse; only 15%
say they are very condent that data held by their organization is protected.
Furthermore, there is a clear correlation between basic data protection activities, controls and data protection condence
levels: those organizations that describe themselves as condent also report that they know where their 3rd party data
resides, they audit data use, have dened owners for their data, and conduct regular reviews of access. Those that
describe themselves as not condent at all are conspicuously opposite; they are unsure where 3rd party data resides,
do not audit data use, do not have dened owners, and do not regularly review access.
mEThoDology
In March of 2012, Varonis introduced an online survey consisting of 13 questions. The survey was distributed to the IT
community through online channels (email, social media, blog, etc.), and over 200 individuals participated in the survey
from over 200 organizations. The surveys questions were constructed to:
Determine the percentage of companies that knowingly store data that belongs to their customers, business
partners, and other third parties
Measure IT staff condence in how well their organization protects data
Assess what percentage of organizations sampled perform various data protection tasks
Survey whether organizations have implemented specic technical controls
The pages that follow contain ndings and analysis by Varonis staff.
8/2/2019 The State of Data Protection Research Report
3/17
THE STATE OF DATA PROTECTION: RESEARCH REPORT
FinDingS
According to the respondents, the sizes of their respective organizations (by number of employees) fell into the
following distribution:
Of all the organizations surveyed, 80% answered yes to the question, Do you store data from customers, clients,
vendors, or business partners?
Do you store data from customers, clients,
vendors, or business partners?
8/2/2019 The State of Data Protection Research Report
4/17
THE STATE OF DATA PROTECTION: RESEARCH REPORT
DaTa PRoTEcTion conFiDEncE
When asked, How condent are you that the data stored within your organization is protected? and provided a choice
of very condent, somewhat condent, not condent at all, or unsure, the answers fell into a distribution where most
organizations felt fairly condent, 26% were very condent, and 18% were not condent at all:
In order to more easily compare one
segment of the respondents with
another, here are the same results in a
bar graph:
How confident are you that the data stored
within your organization is protected?
8/2/2019 The State of Data Protection Research Report
5/17
THE STATE OF DATA PROTECTION: RESEARCH REPORT
Condence levels varied somewhat between those that reported storing third party data and those that didnt, with
those that store third party data reporting somewhat higher condence levels than those that do not:
The variance in condence level varied depending on company size, as follows:The condence level varied
depending on company size, as follows:
Twenty-seven respondents reported that their organizations employ 5,000-10,000 people. Seven of these (35%)
respondents claimed to be not condent at all about their organizations data protection noticeably worse thanorganizations on either side of the size spectrum.
Those that store
3rd party data
Those that do not
store 3rd party data
8/2/2019 The State of Data Protection Research Report
6/17
THE STATE OF DATA PROTECTION: RESEARCH REPORT
DaTa PRoTEcTion acTiviTiES
The following data protection questions asked the respondents to score their organizations knowledge of where third
party data is stored, how completely it audits its use of data, whether it has designated someone to be responsible for
data (data owners), whether data owners review access, and whether the organization regularly revokes access to
data.
1. How condent are you that you know where all data containing information about customers, vendors, and other
business partners resides?
2. Do you monitor actual access activity on le shares and SharePoint? (File opens, creates, moves, modies, deletes)
3. Do you have owners assigned to folders/directories, and SharePoint sites?
4. Do data and/or group owners review permissions to their folders, and SharePoint sites, or members of their groups?
a. If yes, how often do they review access?
5. How often do you revoke access to data, aside from when employees leave the organization?
Each response was then assigned a point value from 0 to 12, with those reporting to excel at an activity scoring a 12,
and those not doing the activity at all a 0. The highest possible score was 60 points. (To see the scoring methodology
in detail, please refer to Appendix 1)
For a respondent to get 60 points, they needed to be very condent their organization knows where third party data
resides, monitor all access activity, have owners that review access to data more than twice a year, and revoke access
regularly. The average score was 25, the median 24.
Score Distribution
8/2/2019 The State of Data Protection Research Report
7/17
THE STATE OF DATA PROTECTION: RESEARCH REPORT
The averages for each data protection activity are in the radar plot below. Respondents averaged highest in identifying
data owners and revoking access regularly and worst in monitoring access activity and having the data/group owners
review activity.
Most of those that described themselves as not condent at all also scored on the lower end of the distribution for data
protection tasks, the fairly condent clustered in the middle, and the very condent gravitated toward the higher end of
the spectrum. None of those that rated themselves as not condent at all scored in the 40-60 point range.
Average Score per Activity
Score Distribution and Confidence Level
8/2/2019 The State of Data Protection Research Report
8/17
THE STATE OF DATA PROTECTION: RESEARCH REPORT
how conFiDEncE coRRElaTES wiTh acTion
Those organizations that were not condent at all rated themselves much lower on all data protection activities relative
to their very condent and fairly condent peers, with very wide gaps for knowing where 3rd party data resides, having
owners for data, and monitoring access activity.
8/2/2019 The State of Data Protection Research Report
9/17
THE STATE OF DATA PROTECTION: RESEARCH REPORT
How confident are you that you know where all data containing information about customers, vendors,
and other business partners resides?
ThE vERy conFiDEnT ThE noT conFiDEnT aT all
Do you monitor actual access activity on file shares and SharePoint? (File opens, creates, moves, modifies, deletes)
conTRaST: ThE vERy conFiDEnT anD ThE noT conFiDEnT aT all
Overall, those that described themselves as Very Confdent in response to the question, How confdent are you
that the data stored within your organization is protected? differed from those that described themselves as ntConfdent at all, on specic data protection and governance questions. Here are their responses side by side:
Do you have owners assigned to folders/directories, and SharePoint sites?
8/2/2019 The State of Data Protection Research Report
10/17
THE STATE OF DATA PROTECTION: RESEARCH REPORT
ThE vERy conFiDEnT ThE noT conFiDEnT aT all
Do data and/or group owners review permissions to their folders, and SharePoint sites, or members of their groups?
If yes, how often do they review access?
How often do you revoke access to data, aside from when employees leave the organization?
Do you use automation to identify sensitive data?
8/2/2019 The State of Data Protection Research Report
11/17
THE STATE OF DATA PROTECTION: RESEARCH REPORT
How confident are IT Security personnel?
iT SEcuRiTy RESPonSES
One interesting statistic was the condence level of IT security personnel their responses fell more into either extreme,
with a higher percentage saying they are either very condent (33%) or not condent at all (26%). 27 respondents
described themselves as performing an IT security function.
Interestingly, the gaps between the very condent and the other condence levels were wider than for non-security
personnel, especially in access activity monitoring, and knowing where 3rd party data resides. The gaps between the
fairly condent and the not condent at all were narrower for security personnel than non-security personnel.
IT Security Scores Per Activity
8/2/2019 The State of Data Protection Research Report
12/17
THE STATE OF DATA PROTECTION: RESEARCH REPORT
concluSionS anD REcommEnDaTionS
If an auditor determined that your organization didnt know where its money was stored, no one reviewed (or even
had) monthly statements, and no one was responsible for reviewing and deciding who should be able to withdraw
funds, then neither you nor the auditor would have much reason to be condent that your organizations money is well
managed or protected. The survey results show the same holds true for data: if you dont have a good handle on where
your data resides, youre not monitoring who accesses it, and you dont have someone who is responsible for it that
regularly reviews and revokes access, you dont have much reason to be condent that your data is well protected.
Organizations that want to improve their data protection posture should:
Make efforts to map where their third party and other sensitive data resides, either manually or with automation
Audit all data use
Assign people to be responsible for data (owners or stewards)
Have owners review access to data regularly
Revoke access when it is no longer required
The good news is that most respondents report that their organizations have at least partially implemented fundamental
processes and controls for data protection, and there is a clear blueprint for how organizations can increase their data
protection maturity. The fairly condent report to have all of the fundamental processes and controls in place for at
least some of their data they now need to expand their practice and use to move into the realm of the very condent.
Those organizations that describe themselves as not condent at all have reason to worry, especially those that store
data belonging to customers, clients, and business partners. The threat of data theft has been anything but decreasing
and new regulations that mandate better consumer data protection are imminent, along with severe punitive measures
for those that fail to can keep data secure. Even those that dont report to store third party data should think twiceevery
organization stores personal information about its employees that deserves protection, and almost every organization
is now data driven, meaning that data is too valuable an asset not to protect carefully.
8/2/2019 The State of Data Protection Research Report
13/17
THE STATE OF DATA PROTECTION: RESEARCH REPORT
aPPEnDix 1: ScoRing mEThoDology
The following questions contributed to the data protection scores for the respondents. Each response and point value is
listed. Best efforts were made to assign higher scores to those whose responses demonstrated higher levels of control.
How condent are you that you know where all data containing information about customers, vendors, and other
business partners resides?
Very Condent score: 12
Somewhat Condent score: 6
Not Condent score: 0
Unsure score: 0
Do you monitor actual access activity on le shares and SharePoint? (le opens, creates, moves, modies, deletes)
All access activity is monitored score: 12
Most access activity is monitored score: 8
Some access activity is monitored score: 4
No access activity is monitored score: 0
Do you have owners assigned to folders/directories, and SharePoint sites?
All score: 12
Most score: 8
Some score: 4
None score: 0
Have Owners for Groups score: dependent on responses to group owner questions, below
Do data and/or group owners review permissions to their folders, and SharePoint sites, or members of their groups?
Yes score: depends on next question
No score: 0
If yes, how often do they review access?
More often than twice a year score: 12
Twice a year score: 9
Once a year score: 6
Less than once a year score: 3
If no, does someone other than data/group owners review access?
Yes, score: depends on previous question
No score: 0
How often do you revoke access to data, aside from when employees leave the organization?
Regularly score: 12
Sometimes score: 6
Never score: 0
8/2/2019 The State of Data Protection Research Report
14/17
THE STATE OF DATA PROTECTION: RESEARCH REPORT
(Group Owner Questions)
If you have owners for groups instead of data, can you reliably determine what data the groups have access to?
Yes score: depends on next question
No score: 0
If you answered yes, then how are you able to determine which groups have access to which data?
All data is hidden and only visible by permissions granted - score: 2
Only three people in a group - score: 2
We control the Access to the data - score: 2
Its one click away in any document library in SharePoint 2010 - score: 0
Specic groups own specic sites, admin of Site can add users - score: 4
AD group assignment - score: 2
Through recertication - score: 4
Via Ad directory control and through DLP data sharing control - score: 2
AD - score: 2
By looking at the security tab to see who has been assigned ownership and what permission level they have.
slow and cumbersome process! - score: 2
The most subjective scoring was for 10 respondents who reported that they had owners for groups instead of data, and
could determine which groups have access to which data. Scoring was performed by judging each individual response.
None of the responses seemed to indicate that the organization could easily answer the question, what data does this
group provide access to? Many responses, in fact, indicated a probable misunderstanding of the capabilities in Active
Directory and SharePoint. Active Directory, for example, includes no indication of which specic folders and sites the
groups are assigned to (via ACL), unless the organization updates and maintains a description eld for each group,
manually or otherwise. SharePoint may be able to list which groups have access to a site, but there is no way within
SharePoint (to our knowledge), to easily report on every site or library that a given group has access to, either through
direct ACL assignment or inheritance.
8/2/2019 The State of Data Protection Research Report
15/17
THE STATE OF DATA PROTECTION: RESEARCH REPORT
How confident are you that you know where all data containing information about customers, vendors,
and other business partners resides?
Do you monitor actual access activity on file shares and SharePoint? (File opens, creates, moves, modifies, deletes)
aPPEnDix 2: RESPonSES REgaRDlESS oF conFiDEncE lEvEl
The following graphs illustrate the distribution of responses regardless of overall condence level reported.
Do you have owners assigned to folders/directories, and SharePoint sites?
8/2/2019 The State of Data Protection Research Report
16/17
THE STATE OF DATA PROTECTION: RESEARCH REPORT
Do data and/or group owners review permissions to their folders, and SharePoint sites, or members of their groups?
If yes, how often do they review access?
How often do you revoke access to data, aside from when employees leave the organization?
Do you use automation to identify sensitive data?
8/2/2019 The State of Data Protection Research Report
17/17
WORLDWIDE HEADQUARTERS
1250 Broadway, 31st Floor
New York, NY 10001
Phone: 877-292-8767
sales@varonis com
EUROPE, MIDDLE EAST AND AFRICA
55 Old Broad Street
London, United Kingdom EC2M 1RX
Phone: +44(0)20 3402 6044
sales-europe@varonis com
THE STATE OF DATA PROTECTION: RESEARCH REPORT
aBouT vaRoniS SySTEmS
Varonis is the leader in unstructured and semi-structured data governance for le systems, SharePoint and NAS devices,
and Exchange servers. The company was named Cool Vendor in Risk Management and Compliance by Gartner, and
voted one of the Fast 50 Reader Favorites on FastCompany.com. Varonis has over 3,000 installations worldwide.
Based on patented technology and a highly accurate analytics engine, Varonis solutions give organizations total
visibility and control over their data, ensuring that only the right users have access to the right data at all times. Varonis is
headquartered in New York, with regional ofces in Europe, Asia and Latin America.
mailto:sales%40varonis.com?subject=RE%3A%20Data%20Governance%20Suite%20Use%20Casesmailto:sales-europe%40varonis.com?subject=RE%3A%20Data%20Governance%20Suite%20Use%20Caseshttp://feeds.feedburner.com/metadata-era-varonishttp://www.slideshare.net/varonis/presentationshttp://blog.varonis.com/http://www.youtube.com/user/DataGovernancehttp://twitter.com/#!/varonishttp://www.linkedin.com/company/varonishttps://plus.google.com/117025574764707275013/postshttp://www.facebook.com/VaronisSystemsmailto:sales-europe%40varonis.com?subject=RE%3A%20Data%20Governance%20Suite%20Use%20Casesmailto:sales%40varonis.com?subject=RE%3A%20Data%20Governance%20Suite%20Use%20Cases