IT and end users are far apart on critical data access

End users have access to a lot more sensitive data than IT departments think they do, says a new Ponemon survey

When it comes to protecting sensitive data, there's a big gap between what IT departments think is happening in their customers and what end users are actually doing, says a new study released Tuesday by the Ponemon Institute.

For example, 32 percent of IT professionals surveyed said that end users sometimes have more access privileges than they need to do their jobs.

Meanwhile, a whopping 71 percent of end users said that they have access to company data that they shouldn't be seeing.

"It means the provisioning systems aren't working in the organization," said Larry Ponemon, chairman and founder at Traverse City, MI-based Ponemon Institute, LLC.

Over-provisioning exacerbates every other security problem that a company might have. Cybercriminals that use spearphishing to get into an organization have much better odds of hitting someone with valuable access, he said, or being able to move laterally from one system to another.

"All it takes is one employee who falls victim to a spearphishing attack and the bad guys can figure out everything else," he said. "If we had proper credentialing, it would be harder to get to the end user with the right credentials. It would still be possible, but it would be harder."

The other side of the coin is data itself. Although 73 percent of IT respondents said that data protection is a top priority for their department, 49 percent said that if files are changed or deleted unexpectedly they are not likely to know what happened.

Companies also have difficulties keeping files from being shared, so that critical data could be copied and stored in a hundred different places.

According to the survey, 76 percent of end users say there are times when its acceptable to transfer work documents to personal computers, tablets, smartphones, or to the cloud. By comparison, only 13 percent of IT professionals agree.

"They seem to be out of touch with what most of the end users are doing," Ponemon said.

In fact, 43 percent of end users said they used services such as Dropbox, and 42 said they used file share services, while IT respondents thought only 29 and 26 percent did, respectively.

"Keeping up with the volume and velocity of information is very difficult for companies," said Ponemon. "Sony is a great example of the challenges that organizations have."

The recent breach at Sony also shed light on many other practices at the company that helped make them more vulnerable.

"They had a file labeled 'passwords' that contained passwords and login credentials of employees," Ponemon said.

Hackers were also able to find tokens and certificates, as well as access credentials to databases, routers and switches around the world, according to recent news reports.

"It's pretty clear that they weren't understanding where their sensitive assets were," said David Gibson, spokesman at New York-based Varonis Systems, Inc., which makes software to manage and secure unstructured data. Varonis was the sponsor of the Ponemon survey.

"Sensitive data wasn't identified, wasn't locked down appropriately, and I don't believe the use of that data was being monitored," he said. "There are some critical controls missing that would have made the hacking a lot harder."

But while criminals can be very good at finding the information they need within corporate systems, legitimate employees are actually drowning in data.

Sixty three percent of end users said it is difficult or very difficult to find files on corporate networks -- and here, 60 percent of IT respondents agreed.

Copyright © 2014 IDG Communications, Inc.

Microsoft's very bad year for security: A timeline