Survey finds database security lacking

News 8 Dec, 2008

IT decision makers labour under misconception that sensitive data is secure, but levels of database security and regulatory compliance tell a different story.

A survey released today claims IT decision makers are fooling themselves that their organisation’s sensitive data is secure.

Nearly 84 per cent of 179 IT decision makers in large (1,000 employees or more), global enterprises believe that all or most of their confidential data is protected.

But the database security controls research report produced by database security vendor Application Security, in conjunction with analyst firm Enterprise Strategy Group, said this perception around data security was disconnected from reality.

This is because the same respondents noted they failed major enterprise-wide and industry specific security audits more than 33 per cent of the time, including those to become compliant with the likes of Sarbanes Oxley (SOX), Basel II and Payment Card Industry Data Security Standards (PCI DSS).

When questioned about where most of their organisational data resided, just over 55 per cent stated that customer and employee information was housed on databases as opposed to file servers, desktops or email systems.

But 63 per cent of respondents claimed that their organisation’s database security depended upon manual processes alone, meaning they're always one step behind attackers, according to Tom Bain, Application Security's director of communications.

“Businesses are being reactionary in their attitudes to data security and not mapping security and compliance requirements closely enough onto their business goals,” he said.

“Those automating key process around database access and privileged activity monitoring are already ahead of the game, especially when criminals will target confidential data more in this global economic downturn.”

A reliance on manual controls belied the fact that nearly 75 per cent of those surveyed also believed the number of database-focused attacks would increase in 2009, with the majority of respondents stating that insider threats are the most likely.

“These are global enterprises with massive IT organisations and thousands of database applications. All it takes is one insecure application or one unpatched server for a breach,” added Bain, in response to the research finding that over 60 per cent of those surveyed admitted they had suffered at least one data breach in the past 12 months already.

Bain concluded: “The survey proves that it’s not just about technology, but about taking pre-emptive action and making sure companies have the right people, policies and processes in place too."