The big takeaway from the recent Data Governance Survey of SA businesses is most organisations don't know where their sensitive data lives and who is accessing it.
This is according to Louis de Kock, South Africa Country Business Development, Varonis Systems, commenting on the results of the ITWeb/Varonis 2017 Data Governance online survey conducted during March this year.
Only 29% of South African businesses who participated in the survey are confident they know where their sensitive customer and business partner information is stored.
Furthermore, a third of respondents said they were 'very confident' that data stored within their organisation is adequately protected, while the rest indicated they were 'somewhat confident' or 'not confident at all'.
"Data has immense value. If it's lost, stolen, or locked down by an attack, organisations can lose time, money, or worse," says De Kock.
Companies create so much critical data that many don't even have a clear picture of how much they have and where it all is, he notes.
"I'm not surprised one third of respondents are very confident that their data is adequately stored. I would guess that even within that segment, there will be many surprised by how much personally identifiable information and other sensitive data makes its way out of safely secured databases."
Adding that when we have no idea where important data is and how it's being used; we're left in the dark when something goes wrong.
Who is accessing sensitive data?
Eighteen percent of respondents indicated they monitor access activity on file shares, whereas a third of respondents said they monitor most access activity.
"While it may be obvious to monitor sensitive and regulated data, it also makes sense to monitor the rest of your data. Nonregulated data also has value and could impede productivity if it were stolen and abused. Way too much data - sensitive or otherwise - is just too accessible to employees," states De Kock.
Asked if they have owners assigned to folders, directories or SharePoint sites, 30% said they do for 'all their data', with 36% citing they do for 'most data' and 27% for 'some data'.
De Kock explains, "It's critical for the business to be involved in data governance. Data owners will know for certain who can access certain data. Empowering data owners to review access rights removes the guesswork from IT."
Exactly half of respondents said that data/ group owners do review permissions to their folders, however 22% said they do not while 28% were unsure.
De Kock says permission to access data should be reviewed according to the regulation that governs that data or at a minimum every three to six months for unregulated data. Just over half (52%) of respondents review this access more than twice a year.
"Achieving a gold standard in shared data security doesn't have to be laborious, many times the solution can be automated, prompting entitlement reviews with system generated recommendations based on access history and user profiling," says De Kock. "Regular review of data access rights and monitoring of that access should be a part of any data governance plan."
Personal data creeps
It may come as a surprise that 74% of companies participating in this survey do not use automation to identify sensitive data.
"We no longer talk about data in terms of gigabytes but petabytes, so keeping up with the growth of sensitive data within an organisation without an automated solution is time consuming, costly and an error prone task," notes De Kock.
Adding, when regulations like POPI (Protection of Personal Information ACT) are in place, sensitive data must be identified and locked down. "There is no room for 'oops, I didn't see it' with these new strict data privacy regulations," he warns
The survey also revealed, only 36% of businesses have a formal POPI project under way to assist with compliance readiness. While 26% have no plans in place, the rest are in the planning stage of POPI readiness.
"Data privacy is becoming law and as soon as the commencement date is announced, organisations will have one year in which to comply. That's not a lot of time if you have thousands of folders of data. Finding, flagging and removing or protecting this data is timeconsuming without the right solutions or resources.
"Organisations must ensure the privacy and safe disposal of personally identifiable information they hold, and it starts with identifying where this data lives on your network, who has access, removing unnecessary access rights and monitoring and alerting on unusual behaviour," he concludes.
About the survey
The 2017 Data Governance Survey was run on ITWeb for a period of two weeks during March 2017, examining the state of data governance strategies of SA organisations. The aim was to find out:
1 Who is in charge of data governance?
2 What is the level of confidence that sensitive data is adequately stored and protected?
3 How access activity on file shares is monitored and managed?
Who responded
* A total of 381 responses were received.
* 30% of respondents are C-level executives and 40% are in middle management.
* 26% of survey respondents are from companies with over 500 employees and 17% are from multinationals with over 10 000 employees; while a third work in IT, all other major industry sectors are represented.
Share