I can answer this from an outsider's point of view. In every information security assessment I perform I can say with conviction that, based on what I see, admins and network/security managers have minimal control over their unstructured data. They don't know what's where and they don't know how it's at risk. Time and time again I come across spreadsheets, flat-file databases, PDFs, Word docs, and so on containing sensitive data shared out on haphazardly-created workstation and server shares that anyone and everyone on the network has access to. So, any Joe-user (employees, consultants, auditors, whoever) with a basic network login (i.e. no special admin privileges) is just a quick search away from all sorts of goodies...And, given the lack of proactive controls and monitoring, no one will ever know about it. Thinking about it on a person level - it's pretty scary stuff.

I can answer this from an outsider's point of view. In every information security assessment I perform I can say with conviction that, based on what I see, admins and network/security managers have minimal control over their unstructured data. They don't know what's where and they don't know how it's at risk. Time and time again I come across spreadsheets, flat-file databases, PDFs, Word docs, and so on containing sensitive data shared out on haphazardly-created workstation and server shares that anyone and everyone on the network has access to. So, any Joe-user (employees, consultants, auditors, whoever) with a basic network login (i.e. no special admin privileges) is just a quick search away from all sorts of goodies...And, given the lack of proactive controls and monitoring, no one will ever know about it. Thinking about it on a person level - it's pretty scary stuff.