The State of Data Protection Research Report

8/2/2019 The State of Data Protection Research Report

1/17

Contents

Executive Summary.................................................................... 2

Methodology ............................................................................... 2

Findings ...................................................................................... 3

Data Protection Condence........................................................ 4

Data Protection Activities ............................................................6

How Condence Correlates with Action ..................................... 8

Contrast: The Very Condent and the Not Condent at All ........ 9

IT Security Responses ..............................................................11

Conclusions and Recommendations ........................................ 12

Appendix 1: Scoring Methodology ............................................ 13

Appendix 2: Responses regardless of condence level........... 15

Te Stte f Dt Prtet:Reser Reprt


2/17

THE STATE OF DATA PROTECTION: RESEARCH REPORT

ExEcuTivE SummaRy

Over the past year we have witnessed continuing accelerated growth of data, numerous data breaches and

the introduction of legislation that mandates new data protection measures. Varonis Systems set out to explore

organizational adoption of current data protection practices and condence levels, and whether variance in protection

practices correlated with variance in condence levels by IT professionals.

The results of our survey show that while 80% of organizations store data that belongs to their customers, clients,

vendors, or business partners (third party data), only 30% of those organizations describe themselves as very condent

that the data stored in their organization is protected. Those that do not store third party data fare even worse; only 15%

say they are very condent that data held by their organization is protected.

Furthermore, there is a clear correlation between basic data protection activities, controls and data protection condence

levels: those organizations that describe themselves as condent also report that they know where their 3rd party data

resides, they audit data use, have dened owners for their data, and conduct regular reviews of access. Those that

describe themselves as not condent at all are conspicuously opposite; they are unsure where 3rd party data resides,

do not audit data use, do not have dened owners, and do not regularly review access.

mEThoDology

In March of 2012, Varonis introduced an online survey consisting of 13 questions. The survey was distributed to the IT

community through online channels (email, social media, blog, etc.), and over 200 individuals participated in the survey

from over 200 organizations. The surveys questions were constructed to:

Determine the percentage of companies that knowingly store data that belongs to their customers, business

partners, and other third parties

Measure IT staff condence in how well their organization protects data

Assess what percentage of organizations sampled perform various data protection tasks

Survey whether organizations have implemented specic technical controls

The pages that follow contain ndings and analysis by Varonis staff.


3/17


FinDingS

According to the respondents, the sizes of their respective organizations (by number of employees) fell into the

following distribution:

Of all the organizations surveyed, 80% answered yes to the question, Do you store data from customers, clients,

vendors, or business partners?

Do you store data from customers, clients,

vendors, or business partners?


4/17


DaTa PRoTEcTion conFiDEncE

When asked, How condent are you that the data stored within your organization is protected? and provided a choice

of very condent, somewhat condent, not condent at all, or unsure, the answers fell into a distribution where most

organizations felt fairly condent, 26% were very condent, and 18% were not condent at all:

In order to more easily compare one

segment of the respondents with

another, here are the same results in a

bar graph:

How confident are you that the data stored

within your organization is protected?


5/17


Condence levels varied somewhat between those that reported storing third party data and those that didnt, with

those that store third party data reporting somewhat higher condence levels than those that do not:

The variance in condence level varied depending on company size, as follows:The condence level varied

depending on company size, as follows:

Twenty-seven respondents reported that their organizations employ 5,000-10,000 people. Seven of these (35%)

respondents claimed to be not condent at all about their organizations data protection noticeably worse thanorganizations on either side of the size spectrum.

Those that store

3rd party data

Those that do not

store 3rd party data


6/17


DaTa PRoTEcTion acTiviTiES

The following data protection questions asked the respondents to score their organizations knowledge of where third

party data is stored, how completely it audits its use of data, whether it has designated someone to be responsible for

data (data owners), whether data owners review access, and whether the organization regularly revokes access to

data.

1. How condent are you that you know where all data containing information about customers, vendors, and other

business partners resides?

2. Do you monitor actual access activity on le shares and SharePoint? (File opens, creates, moves, modies, deletes)

3. Do you have owners assigned to folders/directories, and SharePoint sites?

4. Do data and/or group owners review permissions to their folders, and SharePoint sites, or members of their groups?

a. If yes, how often do they review access?

5. How often do you revoke access to data, aside from when employees leave the organization?

Each response was then assigned a point value from 0 to 12, with those reporting to excel at an activity scoring a 12,

and those not doing the activity at all a 0. The highest possible score was 60 points. (To see the scoring methodology

in detail, please refer to Appendix 1)

For a respondent to get 60 points, they needed to be very condent their organization knows where third party data

resides, monitor all access activity, have owners that review access to data more than twice a year, and revoke access

regularly. The average score was 25, the median 24.

Score Distribution


7/17


The averages for each data protection activity are in the radar plot below. Respondents averaged highest in identifying

data owners and revoking access regularly and worst in monitoring access activity and having the data/group owners

review activity.

Most of those that described themselves as not condent at all also scored on the lower end of the distribution for data

protection tasks, the fairly condent clustered in the middle, and the very condent gravitated toward the higher end of

the spectrum. None of those that rated themselves as not condent at all scored in the 40-60 point range.

Average Score per Activity

Score Distribution and Confidence Level


8/17


how conFiDEncE coRRElaTES wiTh acTion

Those organizations that were not condent at all rated themselves much lower on all data protection activities relative

to their very condent and fairly condent peers, with very wide gaps for knowing where 3rd party data resides, having

owners for data, and monitoring access activity.


9/17


How confident are you that you know where all data containing information about customers, vendors,

and other business partners resides?

ThE vERy conFiDEnT ThE noT conFiDEnT aT all

Do you monitor actual access activity on file shares and SharePoint? (File opens, creates, moves, modifies, deletes)

conTRaST: ThE vERy conFiDEnT anD ThE noT conFiDEnT aT all

Overall, those that described themselves as Very Confdent in response to the question, How confdent are you

that the data stored within your organization is protected? differed from those that described themselves as ntConfdent at all, on specic data protection and governance questions. Here are their responses side by side:

Do you have owners assigned to folders/directories, and SharePoint sites?


10/17


ThE vERy conFiDEnT ThE noT conFiDEnT aT all

Do data and/or group owners review permissions to their folders, and SharePoint sites, or members of their groups?

If yes, how often do they review access?

How often do you revoke access to data, aside from when employees leave the organization?

Do you use automation to identify sensitive data?


11/17


How confident are IT Security personnel?

iT SEcuRiTy RESPonSES

One interesting statistic was the condence level of IT security personnel their responses fell more into either extreme,

with a higher percentage saying they are either very condent (33%) or not condent at all (26%). 27 respondents

described themselves as performing an IT security function.

Interestingly, the gaps between the very condent and the other condence levels were wider than for non-security

personnel, especially in access activity monitoring, and knowing where 3rd party data resides. The gaps between the

fairly condent and the not condent at all were narrower for security personnel than non-security personnel.

IT Security Scores Per Activity


12/17


concluSionS anD REcommEnDaTionS

If an auditor determined that your organization didnt know where its money was stored, no one reviewed (or even

had) monthly statements, and no one was responsible for reviewing and deciding who should be able to withdraw

funds, then neither you nor the auditor would have much reason to be condent that your organizations money is well

managed or protected. The survey results show the same holds true for data: if you dont have a good handle on where

your data resides, youre not monitoring who accesses it, and you dont have someone who is responsible for it that

regularly reviews and revokes access, you dont have much reason to be condent that your data is well protected.

Organizations that want to improve their data protection posture should:

Make efforts to map where their third party and other sensitive data resides, either manually or with automation

Audit all data use

Assign people to be responsible for data (owners or stewards)

Have owners review access to data regularly

Revoke access when it is no longer required

The good news is that most respondents report that their organizations have at least partially implemented fundamental

processes and controls for data protection, and there is a clear blueprint for how organizations can increase their data

protection maturity. The fairly condent report to have all of the fundamental processes and controls in place for at

least some of their data they now need to expand their practice and use to move into the realm of the very condent.

Those organizations that describe themselves as not condent at all have reason to worry, especially those that store

data belonging to customers, clients, and business partners. The threat of data theft has been anything but decreasing

and new regulations that mandate better consumer data protection are imminent, along with severe punitive measures

for those that fail to can keep data secure. Even those that dont report to store third party data should think twiceevery

organization stores personal information about its employees that deserves protection, and almost every organization

is now data driven, meaning that data is too valuable an asset not to protect carefully.


13/17


aPPEnDix 1: ScoRing mEThoDology

The following questions contributed to the data protection scores for the respondents. Each response and point value is

listed. Best efforts were made to assign higher scores to those whose responses demonstrated higher levels of control.

How condent are you that you know where all data containing information about customers, vendors, and other

business partners resides?

Very Condent score: 12

Somewhat Condent score: 6

Not Condent score: 0

Unsure score: 0

Do you monitor actual access activity on le shares and SharePoint? (le opens, creates, moves, modies, deletes)

All access activity is monitored score: 12

Most access activity is monitored score: 8

Some access activity is monitored score: 4

No access activity is monitored score: 0


All score: 12

Most score: 8

Some score: 4

None score: 0

Have Owners for Groups score: dependent on responses to group owner questions, below


Yes score: depends on next question

No score: 0


More often than twice a year score: 12

Twice a year score: 9

Once a year score: 6

Less than once a year score: 3

If no, does someone other than data/group owners review access?

Yes, score: depends on previous question

No score: 0


Regularly score: 12

Sometimes score: 6

Never score: 0


14/17


(Group Owner Questions)

If you have owners for groups instead of data, can you reliably determine what data the groups have access to?

Yes score: depends on next question

No score: 0

If you answered yes, then how are you able to determine which groups have access to which data?

All data is hidden and only visible by permissions granted - score: 2

Only three people in a group - score: 2

We control the Access to the data - score: 2

Its one click away in any document library in SharePoint 2010 - score: 0

Specic groups own specic sites, admin of Site can add users - score: 4

AD group assignment - score: 2

Through recertication - score: 4

Via Ad directory control and through DLP data sharing control - score: 2

AD - score: 2

By looking at the security tab to see who has been assigned ownership and what permission level they have.

slow and cumbersome process! - score: 2

The most subjective scoring was for 10 respondents who reported that they had owners for groups instead of data, and

could determine which groups have access to which data. Scoring was performed by judging each individual response.

None of the responses seemed to indicate that the organization could easily answer the question, what data does this

group provide access to? Many responses, in fact, indicated a probable misunderstanding of the capabilities in Active

Directory and SharePoint. Active Directory, for example, includes no indication of which specic folders and sites the

groups are assigned to (via ACL), unless the organization updates and maintains a description eld for each group,

manually or otherwise. SharePoint may be able to list which groups have access to a site, but there is no way within

SharePoint (to our knowledge), to easily report on every site or library that a given group has access to, either through

direct ACL assignment or inheritance.


15/17


How confident are you that you know where all data containing information about customers, vendors,

and other business partners resides?

Do you monitor actual access activity on file shares and SharePoint? (File opens, creates, moves, modifies, deletes)

aPPEnDix 2: RESPonSES REgaRDlESS oF conFiDEncE lEvEl

The following graphs illustrate the distribution of responses regardless of overall condence level reported.



16/17





Do you use automation to identify sensitive data?


17/17

WORLDWIDE HEADQUARTERS

1250 Broadway, 31st Floor

New York, NY 10001

Phone: 877-292-8767

sales@varonis com

EUROPE, MIDDLE EAST AND AFRICA

55 Old Broad Street

London, United Kingdom EC2M 1RX

Phone: +44(0)20 3402 6044

sales-europe@varonis com


aBouT vaRoniS SySTEmS

Varonis is the leader in unstructured and semi-structured data governance for le systems, SharePoint and NAS devices,

and Exchange servers. The company was named Cool Vendor in Risk Management and Compliance by Gartner, and

voted one of the Fast 50 Reader Favorites on FastCompany.com. Varonis has over 3,000 installations worldwide.

Based on patented technology and a highly accurate analytics engine, Varonis solutions give organizations total

visibility and control over their data, ensuring that only the right users have access to the right data at all times. Varonis is

headquartered in New York, with regional ofces in Europe, Asia and Latin America.
mailto:sales%40varonis.com?subject=RE%3A%20Data%20Governance%20Suite%20Use%20Casesmailto:sales-europe%40varonis.com?subject=RE%3A%20Data%20Governance%20Suite%20Use%20Caseshttp://feeds.feedburner.com/metadata-era-varonishttp://www.slideshare.net/varonis/presentationshttp://blog.varonis.com/http://www.youtube.com/user/DataGovernancehttp://twitter.com/#!/varonishttp://www.linkedin.com/company/varonishttps://plus.google.com/117025574764707275013/postshttp://www.facebook.com/VaronisSystemsmailto:sales-europe%40varonis.com?subject=RE%3A%20Data%20Governance%20Suite%20Use%20Casesmailto:sales%40varonis.com?subject=RE%3A%20Data%20Governance%20Suite%20Use%20Cases

The State of Data Protection Research Report

Documents