David Gibson, VP of Varonis, a data governance solution provider, agrees that admins are often able to access data they shouldn't without being noticed, but he puts the number closer to 50 percent. He adds it's not just the admins; most users have access to far more data than they need to do their jobs.
He says the solution comes down to getting a better handle on two things: reducing access to get to a "least privilege" model, and continuous monitoring of who is accessing data.
"The organization needs to be able to see who has access to what data, who the data belongs to, and who has been accessing which files," he says. "From there, IT can involve the data owners directly to make informed decisions about permissions and acceptable use."
Dirty IT secret No. 2: Your employees may be helping themselves
When "retired" IT assets enjoy a surprise second career
Old tech equipment rarely dies, it just finds a new home -- and sometimes, that home is with your IT employees.
"Employee theft of retired equipment is commonplace," says Kyle Marks, CEO of Retire-IT, a firm specializing in fraud and privacy compliance issues relating to IT asset disposition. "I have never met someone from IT that doesn't have a collection of hardware at home. To many, taking retired equipment is a victimless crime. Most don't view it as a security threat. Once equipment is retired, they act like it is fair game."
The problem with taking equipment bound for the scrap heap or the recycling bin is that it often still contains sensitive data, which if lost could result in massive liability for the company that owns the equipment, says Marks. And, of course, it is still theft of company equipment.
"Theft and fraud are serious situations that create massive privacy liability," he adds. "A capricious IT insider can have costly consequences if left unchecked. Yet in most cases, the people responsible for making sure assets are disposed of properly -- with all data removed -- are in IT. Organizations need to have a 'reverse procurement' process that assures assets are retired correctly."
But does every IT employee really steal old hardware? A veteran of the IT asset disposition industry, who asked to remain anonymous, says the problem isn't nearly as commonplace as Marks makes it out.
"I'm not saying that theft is nonexistent," he says. "I am simply stating that I have never met anyone in the industry with that particular mind-set."
Most equipment that goes missing is simply lost for other, less nefarious reasons -- like it was shipped to the wrong place, he adds.
"It sounds like a bad generalization when in essence a lot companies pride themselves on providing secure services and act in a way that is completely honest and full of integrity."
Dirty IT secret No. 3: Storing data in the cloud is even riskier than you think
All the security in the world won't help when Johnny Law comes knocking
Storing your data in the cloud is convenient, but that convenience may come at a high price: the loss of your data in a totally unrelated legal snafu.
"Most people don't realize that when your data is stored in the cloud on someone else's systems alongside the data from other companies, and a legal issue arises with one of the other companies, your data may be subject to disclosure," says Mike Balter, principal of IT support firm CSI Corp.