All posts by Jennifer LuPiba

One Year Out: 75% of Organizations Will Struggle to Meet EU GDPR Regulation...

One Year Out: 75% of Organizations Will Struggle to Meet EU GDPR Regulations by Deadline, Survey Finds

Today, we have released the findings from an independent survey probing attitudes towards the EU General Data Protection Regulations (EU GDPR), due to come into effect one year from today.  The survey, which polled 500 IT decision makers in the UK, Germany, France and the U.S., reveals that 75% of organizations indicate they will struggle to be ready for the deadline.  An additional 42% say that it’s not a priority for their businesses, despite the threat of fines which could cost companies up to 4% of global turnover or €20 million (whichever is greater).

Here’s an infographic highlighting the key findings and the top 3 listed challenges:

Read the full survey here.

Varonis helps organizations meet these requirements and builds a framework for GDPR compliance.

  • Identify where personal data is located (NAS, SharePoint, Cloud, etc.) and meet accountability obligations of personal data.
  • Monitor and audit data access and permission changes, and keep records of data processing activities.
  • Delete global access rights and overexposed data, making sure that personal data and sensitive information is kept on a need to know access basis.
  • Apply a least privilege model, ensuring a level of security and protection for personal data by design and by default.
  • Limit data retention and comply with Right to erasure and “to be forgotten”: establish data retention procedures and systems so that data is never stored longer than necessary.

Are you prepared for GDPR?

Click here to get your own (free) risk assessment.


The independent survey on attitudes towards GDPR was commissioned by Varonis and carried out by Vanson Bourne. Respondents were 500 IT decision makers of organizations with 1,000+ employees comprised of 100 respondents each in the United Kingdom, France and Germany and 200 in the United States.  The survey was conducted between 17th April and 9th May 2017.

Lessons from WannaCry: Varonis on CNBC’s Nightly Business Report

Lessons from WannaCry: Varonis on CNBC’s Nightly Business Report

Last night, Varonis’ Brian Vecci, Technical Evangelist, sat down with Andrea Day of CNBC’s Nightly Business Report to discuss the recent WannaCry outbreak, where it goes from here and lessons to be learned. You can watch the full clip here.

“We’re playing catch up because of how much data and how much complexity and how blind we’ve been to these kinds of attacks.”

  • What’s the latest on the attack: We know how to prevent WannaCry right now, but it’s the canary in the coal mine – it’s showing everyone just how critical file security is and how much damage can be done.
  • Lessons for health care industry: It’s not just patient records or other regulated data that can cause problems – it’s all files. Basic security best practices would have made a big difference: patching systems that store files, making sure they’re not open to everyone, and close monitoring so you know when something goes wrong.
  • Can other industries be affected? Absolutely – everyone has files, and what we’re seeing with WannaCry is that it’s not just the regulated data that industries like finance and healthcare need to worry about, it’s everything. If holding files hostage can stop a hospital from working, the same thing can happen to a bank, a law firm, a police network or a power plant, or anyone else.
  • How companies can protect themselves: Start with the basics – keep your systems up to date and patched. Make sure files aren’t open to everyone, and monitor everything so you know when something goes wrong.

Read more about the WannaCry outbreak, its evolution and what you need to know in this blog post (with a list of additional helpful links).

Adylkuzz: How WannaCry Ransomware Attack Alerted The World To Even Worse Th...

Image: Canadian Institute of Mining, CC-BY

Your garden variety ransomware, like Cerber, is the canary in the coal mine that rudely, but thankfully announces bigger security issues: insider threats and cyberattacks that take advantage of too much employee access to files. As disruptive as WannaCry has been to vulnerable organizations, this is their canary in the coal mine moment that should alert them to more deadly attacks that don’t announce their presence, like the cryptocurrency miner Adylkuzz.

Researchers at Proofpoint have identified an attack that is larger and sneakier than WannaCry, and one that may have slowed WannaCry’s spread. Adylkuzz is a malware that uses the same exploits designed by the NSA and utilized in the WannaCry attack, but instead of announcing itself, it quietly installs a hidden program to mine for cryptocurrency that the attackers can then use. Even more interesting, Adylkuzz then blocks the SMB port to avoid further infection, such as a WannaCry infection.

Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.

Adylkuzz has over 20 hosts designed to scan and launch attacks, and more than a dozen command and control (C&C) servers at any given time. Within 20 minutes of connecting a test computer with the known vulnerability to the Internet, it was infected with Adylkuzz.

In this instance, instead of your files being held hostage, your processing power is drained and you’re out a few thousand Moneros.  But none of this compares to the hacker who decides to play the long game with DoublePulsar and EternalBlue and stealthily survey and exfiltrate all the health records, student records, intellectual property and incriminating emails they can get their hands on.

WannaCry changed the world and proved that the bad guys will find their way past any perimeter security.  Defense-in-depth should be on your mind. The value of information and the systems that store it is clear – very few organizations can function when their data is inaccessible – no one can function when their data is stolen and their organizational reputation destroyed. If you don’t address the vulnerabilities surrounding your data and your systems you will lose. Obviously you need to patch, but you can’t stop there – you need to continually question your layers of defense: What if a user’s account or system gets compromised? What data can that account access? How would I see abuse? What would it mean if this data was lost or stolen?

No one can prepare for every possible scenario, but organizations need to raise their game. If an organization is patched, restricts employee access to data and systems, and monitors and alerts on unusual activity, they should be in reasonably good shape to withstand this and other attacks.

Varonis stops ransomware by, 1) reducing what normal employee accounts can access (pruning privileges they don’t need), 2) watching how users use data to spot attacks like ransomware in progress, and 3) automatically locking out offending accounts.

Learn how we’re helping out customers spot and stop ransomware and other insider threats:

Image: Canadian Institute of Mining, CC-BY

Verizon DBIR 2017: “Look Kids, There’s Big Ben!”

Verizon DBIR 2017: “Look Kids, There’s Big Ben!”

The Verizon 2017 Data Breach Investigations Report (DBIR) is out in all its pithy and witty glory, and yet given the actual content, Verizon missed an opportunity to quote Clark Griswold from his European Vacation: “Hey look kids, there’s Big Ben, and there’s Parliament… again.”

The biggest takeaway from my review of the DBIR is that organizations are stuck on a great big roundabout passing the same risks and bad guys again and again. Financially- and espionage-driven hackers and insiders are not going away . These actors continue to take advantage of loose access controls, malware, compromised credentials and phishing attacks to steal—in a matter of minutes or days—personal and financial data, corporate proprietary information and other sensitive files.

In our recently released 2017 Varonis Data Risk Report, we found that overly permissive access to files and stale data expose organizations to the same issues uncovered in the DBIR. On average, 20% of all folders on a corporate network are open to every employee, and in 47% of cases, 1,000 or more sensitive files are exposed to everyone!

Insider and Privilege Misuse…Again

Every year we’ve seen this category hold prominence in the DBIR, and we don’t have to search the news too far back to find an example of a financially- or espionage-driven case of insider attack. Just look at the ongoing case of Google’s Waymo vs. Uber and Otto where a former employee is accused of taking more than 14,000 files of proprietary designs to a competitor.

In 2016 70% of insider breaches took months or years to detect, and while today that number went down to 63% – it’s still months and years to detection!!  When 71% of those attacks are accessing personal information of employees, customers and patients, that’s a big head start on those of us whose personal data has been compromised. This should serve as a major motivator for all those organizations needing to meet the upcoming EU GDPR that regulates the protection, access and disposal of personal information.

Ransomware Received a Promotion

Last year Verizon labeled ransomware as a high-frequency, low-impact annoyance; we’re glad to see they are taking this one more seriously this year by recognizing its move from 22nd place as the most common malware to 5th. Ransomware has upped its game to become a $1 billion industry with more than 100,000 infections a day and an as-a-service model to rival its legitimate counterparts. Ransomware is now a board-room discussion, causing major productivity outages and even data loss.

Verizon makes good recommendations for malware detection technologies and education, but, as they note, people get clicky-clicky when it comes to emails and ads and therefore payloads circumvent their defenses. If this were the SAT, we’d write this analogy:

Bugs Bunny is to Elmer Fudd as ransomware is to endpoint protection.

Malware will get past endpoint security and malware detection, so organizations need to minimize an attack’s footprint by reducing access rights and monitoring the unique behavior of each individual.

We found that users have way more access to data than they need to do their jobs. Remember the 20% stat from the 2017 Varonis Data Risk Report I mentioned earlier? Imagine if ransomware encrypted 20% of your file shares simply because of global access and a single infected user!

Just as Cerber has gotten around these perimeter defenses by sending the executable from a Dropbox location, future ransomware variants will continue to outsmart outer defenses. When access rights are reduced and behavior is monitored, this malware is spotted and stopped every time.

Password Hygiene Still Stinks

It’s 2017 and yet our password hygiene follows the same bathing practices that preceded the Black Plague – non-existent! 81% of hacking-related breaches involved weak or stolen credentials, that’s an 18% increase from last year. Password reuse is as common as a baby’s first babbles, or Facebook CEO’s social media password, “dadada.”

We’ve seen billions of breached records across thousands of Internet services. These mega breaches have a ripple effect. Hackers take exposed usernames and passwords and try them with other services, like LinkedIn and Gmail. Even if a site itself hasn’t been breached, an inordinate amount of users re-use the same username and password for every service, making them very susceptible to being badly hacked.

Disposal Errors Will Create a Mess for GDPR

The report’s classification of disposal errors is spot on! While it’s third on the list, the fact that it’s actually on the list and accounts for 10% of miscellaneous errors (up from 6.5% in 2016) is a major palm-in-face moment.  That’s like throwing out your old tax returns in a box marked tax returns instead of shredding and placing them in the dirty diaper bag.

With new regulations like the upcoming GDPR, there’s no room for “oops” in the safe disposal of EU citizen data that has been requested to be removed or outlived its original purpose. Failure to properly identify and dispose of EU citizen data can increase an organization’s chance of a data breach and result in a major fine. In the 2017 Varonis Data Risk Report, we found that 71% of all folders contain stale data; that means we’re feeding and caring for a lot of data that isn’t useful and could pose a liability if lost or stolen.

If you feel you’re stuck on this roundabout, passing the same risks and cyber bad guys again and again, then let us help you find your exit so you can keep driving your security and business needs forward.  Take a (free) risk assessment to find out what vulnerabilities lurk in your environment.

2017 Varonis Data Risk Report: 47% Had at Least 1,000 Sensitive Files Expos...

2017 Varonis Data Risk Report: 47% Had at Least 1,000 Sensitive Files Exposed

Today we released the 2017 Varonis Data Risk Report, showcasing an alarming level of exposure for corporate and sensitive files across organizations, including an average of 20% of folders per organization open to every employee.

Using the Varonis Data Security Platform (DSP), Varonis conducted over a thousand risk assessments for customers and potential customers on a subset of their file systems. The assessment provides insight into the risks associated with corporate data, identifies where sensitive and regulatory data resides, reveals over-exposed and high risk areas and makes recommendations to increase their data security posture.

Here is a sample of the risks discovered:

Failure to reduce the use of global access groups, lock down sensitive files and dispose of stale data exposes an organization to data breaches, insider threats and crippling ransomware attacks.  By identifying and reducing exposed data through global access, broken ACLs and unique permissions, organizations are able to decrease their attack footprint and maintain compliance standards.

“We found files with sensitive PII in places it should not have been,” said a Chief Security Officer for a state and local government in a recent TechValidate customer survey.

According to that same survey, 68% of end users perform a risk assessment to validate security concerns, 95% agree that the risk assessment helped them identify at-risk, sensitive and classified data and build a plan of attack to reduce the likelihood of a data breach and 82% rate global access remediation a top priority after seeing the results.

“The initial assessment gets the immediate attention of management, which then assists in building and executing the internal remediation process,” said a Security Manager at a beverage company in the same TechValidate customer survey. “Varonis does an excellent job of identifying internal data security vulnerabilities.”

Download the 2017 Varonis Data Risk Report here and then request your own risk assessment.

Varonis Data Security Platform Listed in Gartner 2017 Market Guide for Data...

Varonis Data Security Platform Listed in Gartner 2017 Market Guide for Data-Centric Audit and Protection

In 2005, our founders had a vision to build a solution focused on protecting the data organizations have the most of and yet know the least about – files and emails.  Executing on this vision, Varonis has built an innovative Data Security Platform (DSP) to protect enterprise data against insider threats, data breaches and cyberattacks.

To this end, we are pleased to be listed as a representative vendor in Gartner’s 2017 Market Guide for Data-Centric Audit and Protection (DCAP) for the capabilities found within our DSP.

According to Gartner, “By 2020, data-centric audit and protection products will replace disparate siloed data security tools in 40% of large enterprises, up from less than 5% today.”

“Traditional data security approaches are limited because the manner in which products address policy is siloed, and thus the organizational data security policies themselves are siloed,” Gartner said in the guide. “The challenge facing organizations today is that data is pervasive and does not stay in a single silo on-premises, but is compounded by the use of cloud SaaS or IaaS. There is a critical need to establish organization wide data security policies and controls based upon Data Security Governance (DSG).”

Gartner recommends that organizations “implement a DCAP strategy, and ‘shortlist’ products that orchestrate data security controls consistently across all silos that store the sensitive data.” Further, the report advises, “A vendor’s ability to integrate these capabilities across multiple silos will vary between products and also in comparison with vendors in each market subsegment. Below is a summary of some key features to investigate:”

  • Data classification and discovery
  • Data security policy management
  • Monitoring user privileges and data access activity
  • Auditing and reporting
  • Behavior analysis, alerting and blocking
  • Data protection

The Varonis DSP protects enterprise data by analyzing content, accessibility of data and the behavior of the people and machines that access data to alert on misbehavior, enforce a least privilege model and automate data management functions.

Explore the use cases and benefits of a DSP today.

Source: Gartner Market Guide for Data-Centric Audit and Protection, March 21, 2017

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.


Ransomware: What happens when the first layer of defense fails?

Ransomware: What happens when the first layer of defense fails?

76% of respondents see ransomware as a major business threat today, according to a recent Information Security Media Group (ISMG) survey, “2017 Ransomware Defense Survey: The Empire Strikes Back,” aimed at understanding the true impact of ransomware on organizations.

While this news isn’t worthy of breaking into the latest episode of Madame Secretary, what follows in the Varonis sponsored survey is an alarming disconnect between perception and reality of how these attacks happen and how to defend against them.

Key findings among the results:

    • 83% of respondents are confident in their endpoint security to detect ransomware before spreading to workstations and infecting critical files via file-share.
    • But only 21% say their anti-malware solution is completely effective at protecting their organization from ransomware.
    • 44% of respondent’s state that users are the single biggest weakness in the security chain related to the surge in ransomware.
    • Only 37% of respondents who suffered an attack proceeded to improve internal user access controls to reduce future attack footprint and 36% sought to improve detective and recovery capabilities.

People are placing their faith in endpoints to stop ransomware, but we see this threat bypassing that layer. Organizations should ask themselves: “What happens if this layer fails?”

They need to consider other layers of defense to counter this threat, including prioritizing protection around the assets that are most valuable to their organization and productivity. Ransomware target the data on file shares where there is 10 to 1,000 times more data than on a laptop or workstation.  It makes good defense sense to place a micro-perimeter around this data, restrict access to reduce an attack’s footprint and monitor for ransomware-like behaviors in order to immediately stop those threats that sneak past your outer defenses.

A lot of organizations like to think they don’t have insider threats, but often times it’s the loud intrusion of ransomware that is alerting an organization to over-exposed, unmonitored permissions and data. When a user with excessive permissions to data across the network is infected and the ransomware spreads to every file to which that user has access, organizations cannot ignore the crippling effects of hijacked data.

They should be thanking the ransomware criminals for shining a big, bright spotlight on the holes in their defenses. If ransomware can temporarily halt productivity due to overexposed permissions, only imagine what a malicious insider or external actor with co-opted credentials can do to your organization and how long they can go undetected.

Organizations should monitor how the data they depend on is used — especially files and emails that are frequent targets of breaches– and then perform regular attestations of access rights to reduce overexposed sensitive information from being hijacked in the first place as well as deploy user behavior analytics against data activity that look for signs of ransomware.

Read the full survey here.

Then see how our customers are using Varonis to detect ransomware when anti-malware tools fail.

The Varonis Connect Customer Conferences Are Coming: Education and Network ...

The Varonis Connect Customer Conferences Are Coming: Education and Network Opportunities

This April we will kick off our annual series of Varonis Connect customer events where attendees will learn about new Varonis product innovations and share experiences and success stories.

The series, in its 6th year, runs through June across 33 cities in North America and Europe.  In fact, we’ve added 11 more cities than last year, and we expect attendance to increase as well!

Varonis Connect attendees, from the company’s rapidly expanding customer base, will learn how to use the Varonis Data Security Platform (DSP) for an increasing range of use cases, including data security, mitigating ransomware attacks, meeting compliance regulations like HIPAA and GDPR, user behavior analytics, archiving, search and file synchronization and sharing. Varonis engineering and product teams will be on hand to provide attendees with personalized consultations.

2017 Connect Event Schedule:

United States & Canada: Europe: 
April 5: San Francisco, CA April 4: Milan, Italy
April 6: Irvine, CA April 19: Amsterdam, Netherlands
April 11: Orlando, FL April 20: Brussels, Belgium
April 12: Fort Lauderdale, FL April 25: Munich, Germany
April 12: Boston, MA April 27: Madrid, Spain
April 18: Salt Lake City, UT May 4: London, England
April 18: Cincinnati, OH May 11: Geneva, Switzerland
April 19: Indianapolis, IN May 17: Luxembourg
April 19: Des Moines, IA May 18: Paris, France
April 20: Minneapolis, MN May 23: Zurich, Switzerland
April 25: Atlanta, GA May 24: Leeds, England
April 27: Washington D.C.
May 2: Calgary, Canada
May 3: Seattle, WA
May 3: Raleigh, NC
May 4: Charlotte, NC
May 4: Portland, OR
May 23: Green Bay, WI
May 24: New Haven, CT
May 24: Chicago, IL
June 1: New York, NY
June 6: Cleveland, OH

Customer Registration:

Varonis Connect 2017 is free and open to Varonis customers. If you would like to inquire about attending or would like to receive an invitation, please email

How to Protect Yourself from Leaky Apps: Varonis on CNBC’s On the Money

How to Protect Yourself from Leaky Apps: Varonis on CNBC’s On the Money

This past weekend, Varonis’ Brian Vecci, Technical Evangelist, appeared on CNBC’s On the Money with Jennifer Schlesinger to discuss how consumers can protect themselves from leaky apps – both legitimate and illegitimate ones.

From a consumer perspective, there are a few things to keep in mind:

  • Any app could potentially be breached or broken in some way, so be careful about what kinds of information you provide.
  • Try not to use the same password everywhere, since if you do, one bad app or website breach could lead to your credentials from other, more secure sites like Amazon or Facebook being compromised.
  • Set up alerts for your email address on a site like com, which will alert you if your information shows up in a data breach
  • Both iOS and Android devices let you control what an app can access on your device. Be careful about giving an app access to information it may not need, like your photos or GPS location, or the phone’s camera or microphone

In order to help consumers protect themselves online, Varonis teamed up with renowned security expert Troy Hunt to produce a series of short video tutorials.

The online course, “Internet Security Basics, 5 Lessons for Protecting Yourself Online,” was created exclusively for Varonis and is designed to teach the everyday connected individual about the top five online security risks they face and how to protect themselves, including:

  • Practicing better password hygiene
  • Identifying website trustworthiness and phishing
  • Understanding the importance of software maintenance
  • Establishing mobile device and app security
  • Minimizing the risks of household and corporate IoT devices

The on-demand course, intended to be consumable by anyone with basic familiarity with computers, web browsers and mobile devices, is divided into seven bite-sized modules that take just a few minutes to watch. The course can also provide an effective supplement to organizations’ ongoing efforts to keep their employees trained and vigilant about online risks.

Troy Hunt is a world-renowned security expert and trainer, author, and creator of the free data breach service, “Have I been pwned?” As a leader in online training for technology professionals, Hunt expertly distills complex technology and cybersecurity subjects into relatable explanations.

Start protecting yourself online, take the video course today:

Varonis Cited by Forrester for Data Classification Capabilities

Varonis Cited by Forrester for Data Classification Capabilities

When I signed up for home insurance, I remember filling out a worksheet that forced me to catalog all the important, expensive and irreplaceable items within the property so we could make an accurate prediction of the costs to replace them if something were to happen, like theft or arson.

This is similar to the same kind of analysis organizations should be doing with their data. Asking ourselves: What information am I storing? Where is it? Does it fall within regulatory compliance?

This kind of data classification is an important activity every organization must undertake to meet regulatory compliance and protect their data. A February 2017 Forrester reporter, Market Overview: Data Classification For Security And Privacy, states, “Data classification is a core component of defining and understanding data that security and risk (S&R) pros must protect, as well as identifying the way employees should handle it and the types of security controls that are necessary.”

In other words, organizations cannot protect what they don’t know they have.

Within this report, Forrester cites Varonis as among vendors that “have data classification capabilities in addition to data discovery and remediation capabilities.”

The Varonis Data Security Platform (DSP) analyzes and profiles user roles, file systems and email activity, permissions, file content and directory service information. The automated classification capabilities within the platform combine these metadata streams and results from other classification solutions for increased visibility into the content of data. Classification information enables actionable intelligence for data security and compliance, including a prioritized list of folders with the most exposed permissions and containing the most sensitive data, access points to that data, users and owners, and effectively setting access limitations without disrupting business processes.

Data classification is a critical step for security and risk professionals in defining and understanding how to protect sensitive data. The report gives guidance on why data classification should maintain a priority spot in an organization’s security budget, “Although targeted attacks may be the new norm, a reactive approach to security is inefficient and ineffective. You still need an actual security strategy — and knowing what it is that you’re trying to protect — as the foundation for your efforts.”

However, many organizations are still too focused on responding to threats and don’t properly understand or control sensitive data. In fact, the January 2017 Forrester Consulting study commissioned by Varonis, “The Data Security Money Pit: Expense In Depth Hinders Maturity,” found that 62% of respondents have no idea where their most sensitive unstructured data resides. Understanding what is considered sensitive, or toxic, data lends insight and context for developing controls and policies for data awareness and proper data handling.

The Market Overview found that 54% of global client security decision-makers have implemented a data classification solution, and an additional 22% plan do so in the next year. As more organizations recognize the need to boost data awareness, solutions like the Varonis DSP can give security professionals confidence in their systems and build a foundation for data security and privacy.

Find out where your sensitive data lives, take a free risk assessment to experience the automated classification solution within the Varonis DSP.

It’s Not Just Waymo: IP Most at Risk According to Our RSA Survey

It’s Not Just Waymo: IP Most at Risk According to Our RSA Survey

This year, the RSA Conference boasted over 43,000 attendees and 557 exhibitors spread across two enormous and cacophonous halls. Even in the quiet of the hotel room, my ears rang with echoes of the discordant noise about new potential threats. Let’s just say I’ll be eyeing every public outlet from which I charge my phone with suspicion.

Tom Foremski, ex-Financial Times journalist and editor/publisher of Silicon Valley Watcher, summed up the experience nicely via ZDNet:

[G]oing to RSA show will likely cause your mind to race in panic at all the vectors of malice that the security vendors will happily tell you about.

Foremski and those he interviewed discussed the implications of a widening security pit: how we could buy every tool on the market and still not be 100% secure. Forrester Consulting has coined this “expense in depth” in a recently released study, writing:

The reality is that companies have spent a lot of money on individual technology — instead of a unified data security strategy — and are judging their maturity based on money spent.

Or in other terms, companies are focused on threats (as the RSA newsfeeds testified) rather than the data – customer, employee, intellectual property and financial data – any of which would be toxic if stolen or made public (e.g., Waymo IP theft – keep reading).

The RSA Data Security Results

We surveyed security professionals who stopped by our booths at RSA about how their companies identify, classify, protect and monitor data.  The results are in and echo the Forrester study:

  • 72% use 3 or more data security tools (and over 50% use 5 or more).
  • Respondents are not confident in the ability to identify, classify, protect and monitor their enterprise data, with few stats crossing the 50% line:
    • Employee data fares the best with 67% completely confident in knowing exactly where this data resides on the network, 59% enforce a least privilege model against it and only 45% audit access to it and alert on abuse.
    • Less than 50% of respondents can identify the location and monitor for anomalous behavior on customer and financial data.
    • Coming in last for all categories is intellectual property — one of the most toxic and costly data sets. Well under 45% are confident in their ability to identify, classify and restrict access on a need-to-know-basis to this data set: even more concerning, only 30% monitor IP for access and abuse.

While the similarities to the Forrester study are validating, real world examples showing how these data sets quickly turn toxic drive the point home even more. Let’s take a look at one of those examples.

Waymo and the Alleged Toxic IP Leak

Last week, Waymo, pioneers in self-driving car technologies, announced legal action against competitors Otto and Uber for the alleged theft at the hands of several former employees of more than 14,000 highly confidential and proprietary design files.

Mention this theft to any R&D head, CEO or CISO and they’ll cringe at the thousands of man hours, millions of R&D dollars and expected revenue that drove off the parking lot.  To put more context around this, Waymo spent seven years in R&D on self-driving technologies including their own in-house hardware, accumulated 1.5 million miles of experience on public roads and billions of miles in simulation tests.  Self-driving technology is how they make their money; now key components of that technology appear to have fallen into the hands of a competitor.

The loss and future damage of stolen IP is enough to cripple any company, maybe even put them out of business. Yet we see time and again in our risk assessments that sensitive data like IP is not identified, classified or monitored for abuse. Both the Forrester Study and our RSA survey results found that 60% of organizations do not enforce a need-to-know access model for this type of highly confidential information and even fewer monitor access for abusive behavior – like a sudden flurry of access activity on files an employee may not normally access (cue Paul Harvey: “And now for the rest of the story”… employee gives his resignation a few days later).

The allegations of IP theft at the hands of multiple former employees who are now at a competitor is a story we’ve seen (and blogged about) before: an ambitious insider not only steals IP but recruits other colleagues to do the same, and then he takes both to a competitor. The Waymo complaint outlines how the alleged ringleader, the founder of Otto, stole 9.7 GB of highly confidential data and tried to cover his tracks, and it alludes to collusion with several employees who followed suit:

A number of Waymo employees subsequently also left to join Anthony Levandowski’s new business, downloading additional Waymo trade secrets in the days and hours prior to their departure [emphasis mine].

Regardless of the court’s decision in the Waymo case, this serves as a wake-up call for any company who has data that would be toxic to the company’s revenues and reputation if it were stolen or made public.

And Now for the Rest of the Story

Data has real value.  Self-driving technology alone has the power to change the world and save lives. And there are many other types of innovations being worked on and invested in.  Organizations need to start seeing this data and data security as a driver of business growth. Ensuring that the right people and only the right people have access will accelerate bringing this innovation to market and drive competitive advantage – the flip side to this coin is very real, and we see it playing out in the Waymo/Uber case, where too much unmonitored access can give a competitive advantage to the other guy.

The final piece to our RSA survey asked respondents about the benefits they would receive with a unified data security platform – in other words, a solution that would have stopped or greatly reduced the damage of the Waymo IP theft. The top rated benefits include:

  • quicker response to breaches (60%)
  • improved ability to identify data (60%)
  • improved ability to spot anomalous behavior (56%)
  • increased visibility on access and usage of sensitive data (55%)

Want to see what type of data might be overexposed in your company?  Our Data Risk Assessment gives a snapshot of your data security to quickly ascertain the level of risk associated with your data: exposing high risk areas and where you can safely and swiftly pull back access, reducing your risk profile.

Get more details on our Data Risk Assessment.