It’s no secret that there’s an explosion in corporate data. Organizations are challenged with managing what is quickly becoming – or even has already become – too much data. But, as my colleague, Brian Heckert, notes in this article, employees also have too much access to data.

Be aware: You probably have access to too much data!

That’s right: you can access data you’re unauthorized to see. That’s according to the Ponemon Institute’s latest research report, Corporate Data: A Protected Asset or a Ticking Time Bomb?

In its December 2014 report, the research center found that 71 percent of the 2,276 U.S. and European employees surveyed have access to sensitive information that they don’t need access to.

The report reveals that there is insufficient oversight and control over employees who have access to confidential information. Oftentimes, such information is sensitive in nature and includes:

• Customer lists and contact information
• Intellectual property
• Private information about customers, employees, and business partners

Part of the challenge with controlling data is that too much oversight could sacrifice employee productivity. On the one hand, employees cannot work efficiently if they cannot access the information they need to do their jobs. On the other hand, too little oversight means that employees can access sensitive data that they don’t have any reason to access, jeopardizing an organization’s security and the privacy of customers, co-workers, and others.

Interestingly, it is the employees themselves who believe that they have access to company data that they should not have access to. Even so, of the 71 percent who said that they have such access, 54 percent admitted that their access to the information is frequent or even very frequent. In other words, they know they shouldn’t be accessing the data but they’re doing it anyway, even frequently.

The report found that employees who participated in the survey believe that data protection oversight and controls to their company data are weak. That’s a serious concern, but no less concerning than the survey’s finding that 78 percent believe their organization is unable to tell them what happened to lost data, files, and emails.

It should come as no surprise that IT professionals who participated in the study agree with employees who believe that data protection oversight and controls to the data are weak. Part of the problem, according to the IT practitioners, is that their organizations do not enforce a need-to-know data policy.

Although more than 70 percent of IT practitioners in the survey said that their department takes data protection very seriously, clearly more needs to be done to ensure that their data is protected from unauthorized access.

What can be done to protect corporate data? First, organizations must see data protection as a priority. Second, organizations must ensure that they have a need-to-know data policy and then enforce it. Unenforced policies increase the risk of misused and unauthorized access to confidential and sensitive data.

This article originally appeared on the Mozy blog.