All posts by Rachel Hunt

58% of organizations have more than 100,000 folders open to all employees

58% of organizations have more than 100,000 folders open to all employees

Like a wardrobe malfunction during a live broadcast, no one wants to be overexposed – especially when it comes to your data.

The surprising truth: most companies go about their business blithely unaware that some of their most sensitive data is wide open. And by “some” we mean a lot. In fact, our latest research shows that 41% of organizations had at least 1,000 sensitive files open to all employees.

As we know, it only takes one leaked file to cause a headline-making data breach. We’ve seen how one unpatched server can lead to a disaster; a single “unpatched” folder filled with sensitive files can be just as disastrous — and it doesn’t take an expert or sophisticated code to exploit it.

That’s where Varonis Data Risk Assessments come in. Every year, Varonis conducts thousands of risk assessments for companies around the globe. Using the Varonis Data Security Platform (DSP), we identify where sensitive and regulated data resides, show what’s overexposed and vulnerable, and provide actionable recommendations to increase your data security posture. Think of a Data Risk Assessment as a reality check on your data – that friend who tells you you’ve got a button undone. And they’re free (but more on that later).

We examined a random sample of Data Risk Assessments to understand just how exposed companies really are when it comes to their critical data. The results are now available in Data Under Attack: 2018 Global Data Risk Report from the Varonis Data Lab.

Findings from the report include:

  • 58% of organizations have more than 100,000 folders open to all employees
  • 21% of folders were accessible to every employee
  • 41% had at least 1,000 sensitive files open to all employees
  • On average, 54% of an organization’s data was stale, which adds to storage costs and complicates data management
  • On average, 34% of user accounts are enabled, but stale, “ghost” users who still have access to files and folders
  • 46% of organizations had more than 1,000 users with passwords that never expire

Read the full report Data Under Attack: 2018 Global Data Risk Report from the Varonis Data Lab.

Did we mention Data Risk Assessments are free?* Learn more today and request yours at

*So you’re the kind of person who likes to read the fine print (so are we). Yes, they’re actually free.

New Survey Reveals GDPR Readiness Gap

New Survey Reveals GDPR Readiness Gap

With just a few months left to go until the EU General Data Protection Regulation (GDPR) implementation deadline on May 25, 2018, we commissioned an independent survey exploring the readiness and attitudes of security professionals toward the upcoming standard.

The survey, Countdown to GDPR: Challenges and Concerns, which polled security professionals in the UK, Germany, France and U.S., highlights surprising GDPR readiness shortcomings, with more than half (57%) of professionals still concerned about compliance.

Findings include:

  • 56% think the right to erasure/”to be forgotten” poses the greatest challenge in meeting the GDPR, followed by implementing data protection by design.
  • 38% of respondents report that their organizations do not view compliance with GDPR by the deadline as a priority.
  • 74% believe that adhering to the GDPR will give them a competitive advantage over other organizations in their sector.

After Equifax and WannaCry: New Survey on Security Practices and Expectati...

You’ve seen the headlines: Breaches are hitting high-profile organizations almost daily. After major events — the WannaCry and NotPetya outbreaks, and most recently the Equifax breach — we wanted to know if professionals responsible for cybersecurity in their organizations are shoring up their security, what approaches they are taking, and if they believe they are prepared for the next big attack.

Today we release the results of a new independent survey: After Equifax and WannaCry: Security Practices and Expectations.

The survey, which polled 500 IT professionals responsible for cybersecurity in the UK, Germany, France and U.S., highlights an alarming disconnect between security expectations and reality: While 45% of IT professionals are bracing for a disruptive cyber attack in the next year, the vast majority (89%) profess confidence in their cybersecurity stance.

Other notable findings include:

  • 25% reported their organization was hit by ransomware in the past two years.
  • 26% reported their organization experienced the loss or theft of company data in the past two years.
  • 8 out of 10 respondents are confident that hackers are not currently on their network.
  • 85% have changed or plan to change their security policies and procedures in the wake of widespread cyberattacks like WannaCry.

Read the full survey:

After Equifax and WannaCry: New Survey on Security Practices and Expectations.

University Secures Sensitive Student Data with Varonis

University Secures Sensitive Student Data with Varonis

When hackers successfully breached a nearby university, the IT staff at Loyola University Maryland knew they had to act fast to secure their own environment. Academic institutions are prime targets for cyber criminals. A large university often has sensitive personal identifiable information (PII) and protected health information (PHI) on tens of thousands of students.

During a Varonis risk assessment, Loyola gained visibility into the information housed on their network. They discovered large amounts of PII and PHI that had to be managed and secured immediately. Previously, Loyola staff would have needed to take manual steps to organize and protect this information. Automated tools from Varonis expedite the process while helping Loyola stay compliant with standards such as GLBA, PCI and FERPA.

According to Louise Finn, CIO at Loyola University, “The exfiltration of data is light speed. So having a tool that’s running in the background — always scanning and looking based upon behaviors that it’s absorbing — is such a win for us.”

Interested in getting your own free risk assessment? Sign up here.

Global Manufacturer Relies on DatAdvantage as it Moves to the Cloud

Global Manufacturer Relies on DatAdvantage as it Moves to the Cloud

Dayton Superior is a leading manufacturer for the non-residential concrete construction industry. With thousands of products used in more than one million buildings, bridges and other structures worldwide, Dayton Superior has an ongoing need to monitor and protect information on its network.

The Ohio-based company first began using DatAdvantage several years ago after a major acquisition in which company’s employees were merged into a single IT environment. DatAdvantage gave Dayton Superior deep visibility into the files on their network. For the first time, the company could locate missing files and lock down access to individual users, departments or project teams.

Now, nearly seven years after Dayton Superior first turned to Varonis for insight into its on-premises IT systems, the company will be using DatAdvantage for their new cloud-based environment with Microsoft Office 365 OneDrive for Business and SharePoint.

By moving to the cloud, Dayton Superior aims to decrease its need for internal storage while providing employees with flexible access to documentation from remote devices. Once the migration is complete, DatAdvantage will continue to help the company monitor activity, track user behavior, and control user access to files on the network.


Click here to read the full case study


One Year Out: 75% of Organizations Will Struggle to Meet EU GDPR Regulation...

One Year Out: 75% of Organizations Will Struggle to Meet EU GDPR Regulations by Deadline, Survey Finds

Today, we have released the findings from an independent survey probing attitudes towards the General Data Protection Regulation (GDPR), due to come into effect one year from today.  The survey, which polled 500 IT decision makers in the UK, Germany, France and the U.S., reveals that 75% of organizations indicate they will struggle to be ready for the deadline.  An additional 42% say that it’s not a priority for their businesses, despite the threat of fines which could cost companies up to 4% of global turnover or €20 million (whichever is greater).

Here’s an infographic highlighting the key findings and the top 3 listed challenges:

Read the full survey here.

Varonis helps organizations meet these requirements and builds a framework for GDPR compliance.

  • Identify where personal data is located (NAS, SharePoint, Cloud, etc.) and meet accountability obligations of personal data.
  • Monitor and audit data access and permission changes, and keep records of data processing activities.
  • Delete global access rights and overexposed data, making sure that personal data and sensitive information is kept on a need to know access basis.
  • Apply a least privilege model, ensuring a level of security and protection for personal data by design and by default.
  • Limit data retention and comply with Right to erasure and “to be forgotten”: establish data retention procedures and systems so that data is never stored longer than necessary.

Are you prepared for GDPR?

Click here to get your own (free) risk assessment.


The independent survey on attitudes towards GDPR was commissioned by Varonis and carried out by Vanson Bourne. Respondents were 500 IT decision makers of organizations with 1,000+ employees comprised of 100 respondents each in the United Kingdom, France and Germany and 200 in the United States.  The survey was conducted between 17th April and 9th May 2017.

Lessons from WannaCry: Varonis on CNBC’s Nightly Business Report

Lessons from WannaCry: Varonis on CNBC’s Nightly Business Report

Last night, Varonis’ Brian Vecci, Technical Evangelist, sat down with Andrea Day of CNBC’s Nightly Business Report to discuss the recent WannaCry outbreak, where it goes from here and lessons to be learned. You can watch the full clip here.

“We’re playing catch up because of how much data and how much complexity and how blind we’ve been to these kinds of attacks.”

  • What’s the latest on the attack: We know how to prevent WannaCry right now, but it’s the canary in the coal mine – it’s showing everyone just how critical file security is and how much damage can be done.
  • Lessons for health care industry: It’s not just patient records or other regulated data that can cause problems – it’s all files. Basic security best practices would have made a big difference: patching systems that store files, making sure they’re not open to everyone, and close monitoring so you know when something goes wrong.
  • Can other industries be affected? Absolutely – everyone has files, and what we’re seeing with WannaCry is that it’s not just the regulated data that industries like finance and healthcare need to worry about, it’s everything. If holding files hostage can stop a hospital from working, the same thing can happen to a bank, a law firm, a police network or a power plant, or anyone else.
  • How companies can protect themselves: Start with the basics – keep your systems up to date and patched. Make sure files aren’t open to everyone, and monitor everything so you know when something goes wrong.

Read more about the WannaCry outbreak, its evolution and what you need to know in this blog post (with a list of additional helpful links).

Adylkuzz: How WannaCry Ransomware Attack Alerted The World To Even Worse Th...

Image: Canadian Institute of Mining, CC-BY

Your garden variety ransomware, like Cerber, is the canary in the coal mine that rudely, but thankfully announces bigger security issues: insider threats and cyberattacks that take advantage of too much employee access to files. As disruptive as WannaCry has been to vulnerable organizations, this is their canary in the coal mine moment that should alert them to more deadly attacks that don’t announce their presence, like the cryptocurrency miner Adylkuzz.

Researchers at Proofpoint have identified an attack that is larger and sneakier than WannaCry, and one that may have slowed WannaCry’s spread. Adylkuzz is a malware that uses the same exploits designed by the NSA and utilized in the WannaCry attack, but instead of announcing itself, it quietly installs a hidden program to mine for cryptocurrency that the attackers can then use. Even more interesting, Adylkuzz then blocks the SMB port to avoid further infection, such as a WannaCry infection.

Upon successful exploitation via EternalBlue, machines are infected with DoublePulsar. The DoublePulsar backdoor then downloads and runs Adylkuzz from another host. Once running, Adylkuzz will first stop any potential instances of itself already running and block SMB communication to avoid further infection. It then determines the public IP address of the victim and download the mining instructions, cryptominer, and cleanup tools.

Adylkuzz has over 20 hosts designed to scan and launch attacks, and more than a dozen command and control (C&C) servers at any given time. Within 20 minutes of connecting a test computer with the known vulnerability to the Internet, it was infected with Adylkuzz.

In this instance, instead of your files being held hostage, your processing power is drained and you’re out a few thousand Moneros.  But none of this compares to the hacker who decides to play the long game with DoublePulsar and EternalBlue and stealthily survey and exfiltrate all the health records, student records, intellectual property and incriminating emails they can get their hands on.

WannaCry changed the world and proved that the bad guys will find their way past any perimeter security.  Defense-in-depth should be on your mind. The value of information and the systems that store it is clear – very few organizations can function when their data is inaccessible – no one can function when their data is stolen and their organizational reputation destroyed. If you don’t address the vulnerabilities surrounding your data and your systems you will lose. Obviously you need to patch, but you can’t stop there – you need to continually question your layers of defense: What if a user’s account or system gets compromised? What data can that account access? How would I see abuse? What would it mean if this data was lost or stolen?

No one can prepare for every possible scenario, but organizations need to raise their game. If an organization is patched, restricts employee access to data and systems, and monitors and alerts on unusual activity, they should be in reasonably good shape to withstand this and other attacks.

Varonis stops ransomware by, 1) reducing what normal employee accounts can access (pruning privileges they don’t need), 2) watching how users use data to spot attacks like ransomware in progress, and 3) automatically locking out offending accounts.

Learn how we’re helping out customers spot and stop ransomware and other insider threats:

Image: Canadian Institute of Mining, CC-BY

Verizon DBIR 2017: “Look Kids, There’s Big Ben!”

Verizon DBIR 2017: “Look Kids, There’s Big Ben!”

The Verizon 2017 Data Breach Investigations Report (DBIR) is out in all its pithy and witty glory, and yet given the actual content, Verizon missed an opportunity to quote Clark Griswold from his European Vacation: “Hey look kids, there’s Big Ben, and there’s Parliament… again.”

The biggest takeaway from my review of the DBIR is that organizations are stuck on a great big roundabout passing the same risks and bad guys again and again. Financially- and espionage-driven hackers and insiders are not going away . These actors continue to take advantage of loose access controls, malware, compromised credentials and phishing attacks to steal—in a matter of minutes or days—personal and financial data, corporate proprietary information and other sensitive files.

In our recently released 2017 Varonis Data Risk Report, we found that overly permissive access to files and stale data expose organizations to the same issues uncovered in the DBIR. On average, 20% of all folders on a corporate network are open to every employee, and in 47% of cases, 1,000 or more sensitive files are exposed to everyone!

Insider and Privilege Misuse…Again

Every year we’ve seen this category hold prominence in the DBIR, and we don’t have to search the news too far back to find an example of a financially- or espionage-driven case of insider attack. Just look at the ongoing case of Google’s Waymo vs. Uber and Otto where a former employee is accused of taking more than 14,000 files of proprietary designs to a competitor.

In 2016 70% of insider breaches took months or years to detect, and while today that number went down to 63% – it’s still months and years to detection!!  When 71% of those attacks are accessing personal information of employees, customers and patients, that’s a big head start on those of us whose personal data has been compromised. This should serve as a major motivator for all those organizations needing to meet the upcoming EU GDPR that regulates the protection, access and disposal of personal information.

Ransomware Received a Promotion

Last year Verizon labeled ransomware as a high-frequency, low-impact annoyance; we’re glad to see they are taking this one more seriously this year by recognizing its move from 22nd place as the most common malware to 5th. Ransomware has upped its game to become a $1 billion industry with more than 100,000 infections a day and an as-a-service model to rival its legitimate counterparts. Ransomware is now a board-room discussion, causing major productivity outages and even data loss.

Verizon makes good recommendations for malware detection technologies and education, but, as they note, people get clicky-clicky when it comes to emails and ads and therefore payloads circumvent their defenses. If this were the SAT, we’d write this analogy:

Bugs Bunny is to Elmer Fudd as ransomware is to endpoint protection.

Malware will get past endpoint security and malware detection, so organizations need to minimize an attack’s footprint by reducing access rights and monitoring the unique behavior of each individual.

We found that users have way more access to data than they need to do their jobs. Remember the 20% stat from the 2017 Varonis Data Risk Report I mentioned earlier? Imagine if ransomware encrypted 20% of your file shares simply because of global access and a single infected user!

Just as Cerber has gotten around these perimeter defenses by sending the executable from a Dropbox location, future ransomware variants will continue to outsmart outer defenses. When access rights are reduced and behavior is monitored, this malware is spotted and stopped every time.

Password Hygiene Still Stinks

It’s 2017 and yet our password hygiene follows the same bathing practices that preceded the Black Plague – non-existent! 81% of hacking-related breaches involved weak or stolen credentials, that’s an 18% increase from last year. Password reuse is as common as a baby’s first babbles, or Facebook CEO’s social media password, “dadada.”

We’ve seen billions of breached records across thousands of Internet services. These mega breaches have a ripple effect. Hackers take exposed usernames and passwords and try them with other services, like LinkedIn and Gmail. Even if a site itself hasn’t been breached, an inordinate amount of users re-use the same username and password for every service, making them very susceptible to being badly hacked.

Disposal Errors Will Create a Mess for GDPR

The report’s classification of disposal errors is spot on! While it’s third on the list, the fact that it’s actually on the list and accounts for 10% of miscellaneous errors (up from 6.5% in 2016) is a major palm-in-face moment.  That’s like throwing out your old tax returns in a box marked tax returns instead of shredding and placing them in the dirty diaper bag.

With new regulations like the upcoming GDPR, there’s no room for “oops” in the safe disposal of EU citizen data that has been requested to be removed or outlived its original purpose. Failure to properly identify and dispose of EU citizen data can increase an organization’s chance of a data breach and result in a major fine. In the 2017 Varonis Data Risk Report, we found that 71% of all folders contain stale data; that means we’re feeding and caring for a lot of data that isn’t useful and could pose a liability if lost or stolen.

If you feel you’re stuck on this roundabout, passing the same risks and cyber bad guys again and again, then let us help you find your exit so you can keep driving your security and business needs forward.  Take a (free) risk assessment to find out what vulnerabilities lurk in your environment.

2017 Varonis Data Risk Report: 47% Had at Least 1,000 Sensitive Files Expos...

2017 Varonis Data Risk Report: 47% Had at Least 1,000 Sensitive Files Exposed

Today we released the 2017 Varonis Data Risk Report, showcasing an alarming level of exposure for corporate and sensitive files across organizations, including an average of 20% of folders per organization open to every employee.

Using the Varonis Data Security Platform (DSP), Varonis conducted over a thousand risk assessments for customers and potential customers on a subset of their file systems. The assessment provides insight into the risks associated with corporate data, identifies where sensitive and regulatory data resides, reveals over-exposed and high risk areas and makes recommendations to increase their data security posture.

Here is a sample of the risks discovered:

Failure to reduce the use of global access groups, lock down sensitive files and dispose of stale data exposes an organization to data breaches, insider threats and crippling ransomware attacks.  By identifying and reducing exposed data through global access, broken ACLs and unique permissions, organizations are able to decrease their attack footprint and maintain compliance standards.

“We found files with sensitive PII in places it should not have been,” said a Chief Security Officer for a state and local government in a recent TechValidate customer survey.

According to that same survey, 68% of end users perform a risk assessment to validate security concerns, 95% agree that the risk assessment helped them identify at-risk, sensitive and classified data and build a plan of attack to reduce the likelihood of a data breach and 82% rate global access remediation a top priority after seeing the results.

“The initial assessment gets the immediate attention of management, which then assists in building and executing the internal remediation process,” said a Security Manager at a beverage company in the same TechValidate customer survey. “Varonis does an excellent job of identifying internal data security vulnerabilities.”

Download the 2017 Varonis Data Risk Report here and then request your own risk assessment.

Varonis Data Security Platform Listed in Gartner 2017 Market Guide for Data...

Varonis Data Security Platform Listed in Gartner 2017 Market Guide for Data-Centric Audit and Protection

In 2005, our founders had a vision to build a solution focused on protecting the data organizations have the most of and yet know the least about – files and emails.  Executing on this vision, Varonis has built an innovative Data Security Platform (DSP) to protect enterprise data against insider threats, data breaches and cyberattacks.

To this end, we are pleased to be listed as a representative vendor in Gartner’s 2017 Market Guide for Data-Centric Audit and Protection (DCAP) for the capabilities found within our DSP.

According to Gartner, “By 2020, data-centric audit and protection products will replace disparate siloed data security tools in 40% of large enterprises, up from less than 5% today.”

“Traditional data security approaches are limited because the manner in which products address policy is siloed, and thus the organizational data security policies themselves are siloed,” Gartner said in the guide. “The challenge facing organizations today is that data is pervasive and does not stay in a single silo on-premises, but is compounded by the use of cloud SaaS or IaaS. There is a critical need to establish organization wide data security policies and controls based upon Data Security Governance (DSG).”

Gartner recommends that organizations “implement a DCAP strategy, and ‘shortlist’ products that orchestrate data security controls consistently across all silos that store the sensitive data.” Further, the report advises, “A vendor’s ability to integrate these capabilities across multiple silos will vary between products and also in comparison with vendors in each market subsegment. Below is a summary of some key features to investigate:”

  • Data classification and discovery
  • Data security policy management
  • Monitoring user privileges and data access activity
  • Auditing and reporting
  • Behavior analysis, alerting and blocking
  • Data protection

The Varonis DSP protects enterprise data by analyzing content, accessibility of data and the behavior of the people and machines that access data to alert on misbehavior, enforce a least privilege model and automate data management functions.

Explore the use cases and benefits of a DSP today.

Source: Gartner Market Guide for Data-Centric Audit and Protection, March 21, 2017

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.