NHS Digital Report which found that ‘very weak’ passwords and outdated systems are putting NHS hospitals at hacking risk. Ken Spinner, VP of Global Field Engineering at Varonis provides an insight on this report below.
Ken Spinner, VP of Global Field Engineering at Varonis:
“It’s more important than ever for organisations to have a clear picture of where it’s most sensitive information lives and who has access to it – especially when dealing with regulated health data and customer information.
Systems must be updated with the latest patches to address security vulnerabilities- especially after having been hit by WannaCry, but in the long run, organisations must also address their security policies and make sure they’re adapting to today’s threat environment: including password policy and access control. That means locking down sensitive data, maintaining a least privilege model, monitoring file and user behaviour to protect sensitive and critical data, and implementing strong processes to manage stale data and user accounts.
Unfortunately it’s nearly commonplace to experience these sorts of data access control oversights: in the 2017 Varonis Data Risk Report, we found that similar to the NHS, 47% of organisations have at least 1,000 sensitive files open to every employee.
Exposing this type of data – and this much of it – is a huge red flag: not only can critical data and research be compromised, but personal data can be leveraged to breach more secure systems.
Many organisations have lost the handle on where their most sensitive information lives, who has access to it, and who might be abusing their access — and this leaves organisations vulnerable to cyberattacks and data leaks.
One of the first steps to stronger data protection is managing access to data: organisations should enforce consistent entitlement reviews to verify that only the right people have access to sensitive data, reduce their risk profile by removing users that no longer need access and maintain a least privilege model to keep their data secure.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.