Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Database Disconnect: Organizations Struggle with Database Security Responsibility

Organizations Fail to Support Database Security Deployments and Training; Database, Audit and Security Departments Fail to Communicate or Take Responsibility

Complacency is hampering information security efforts, resulting in lax security practices and oversight, and leaving sensitive corporate data vulnerable theft. That was the general conclusion according to the results of a survey of database administrators and managers released today.

Organizations Fail to Support Database Security Deployments and Training; Database, Audit and Security Departments Fail to Communicate or Take Responsibility

Complacency is hampering information security efforts, resulting in lax security practices and oversight, and leaving sensitive corporate data vulnerable theft. That was the general conclusion according to the results of a survey of database administrators and managers released today.

Application Security, Inc. (AppSec), a provider of database security, risk and compliance solutions, and Unisphere Research, today released the findings of its 2010 Database Security report, “Data in the Dark: Organizational Disconnect Hampers Information Security.” The study polled Professional Association for SQL Server (PASS) members across 761 organizations, and the statistics reveal that companies suffer from a false sense of Security.

Application Security, Inc.

The report notes that while few organizations are cutting back on data security spending, there seems to be uncertainty as to the depth of organizational support. Database managers and professionals —the group most likely to be charged with data security—are largely unaware of the scope of budget support, with 39 percent saying they are unaware of the funding available. This disconnect between corporate management and IT teams on data security priorities is resulting in fear in the eyes of database professionals. The survey showed that one in five respondents fear that their organizations will experience a major data breach over the coming months, but few are aware of the potential costs to their organizations.

According to a study conducted by Perimeter E-Security the average cost per compromised record was $204 and a loss of the valued trust of their customers, with the average total cost of a data breach rose to $6.75 million in 2009.

According to the Data in the Dark report, approximately 75% of respondents, the majority of whom are database administrators, are responsible for protecting their organization’s database. However, 54% of respondents said production databases are out of their direct control.

In addition, the report found that 40% of respondents were unaware of their organization’s IT Security spend, with 57% having no idea of the potential cost impact of a large-scale data breach. Nearly half of the study’s respondents said that a database breach would have greater impact on organizational security than any other IT component.

“Our study highlights a glaring lack of focus and communication regarding data security in today’s organizations,” said Thom VanHorn, Vice President Global Marketing, Application Security, Inc. “This shortfall in the delivery of proper data security best practices translates directly into vulnerable systems, lost dollars and customer distrust.”

Other key findings from the database security report:

• 66% state that production data within their database environment is located, or consistently being sent outside their organization, contributing to a heightened vulnerability profile.

• 50% monitor the database for changes, but only 20% monitor for privileged user activity. Meanwhile, 35% state they don’t know what their capabilities would be in this capacity.

• Approximately 1 in 3 organizations say that current controls are inadequate when it comes to securing the database.

• 55% say that their biggest impediment to effectively securing the database is an inadequate IT Security budget.

• 33% of respondents state that their database environment is audited annually, while nearly half (42%) replied that they are unaware of database audit results.

• 33% of respondents state that they are not monitoring for unauthorized access or database configuration changes.

• 65% state that the greatest risk to protecting database assets is human error, implying that a large percentage of organizations continue to rely on manual and error prone processes.

“The research we conducted suggests a fundamental lack of ownership relative to safeguarding database assets,” said Joe McKendrick, Analyst, Unisphere Research. “We found that the PASS membership user population feels they are ill-equipped to make security decisions, perform security functions and acquire security technology to do their jobs effectively. More collaboration is necessary, as well as a much better understanding of the threat landscape.”

Who is Responsible for Database Security?

Who is Responsible for Database Security?

Source: Data in the Dark—2010 PASS Database Security Survey produced by Unisphere Research and sponsored by Application Security, Inc.

Written By

For more than 10 years, Mike Lennon has been closely monitoring the threat landscape and analyzing trends in the National Security and enterprise cybersecurity space. In his role at SecurityWeek, he oversees the editorial direction of the publication and is the Director of several leading security industry conferences around the world.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Management & Strategy

Industry professionals comment on the recent disruption of the Hive ransomware operation and its hacking by law enforcement.

Management & Strategy

SecurityWeek examines how a layoff-induced influx of experienced professionals into the job seeker market is affecting or might affect, the skills gap and recruitment...

Management & Strategy

Tens of cybersecurity companies have announced cutting staff over the past year, in some cases significant portions of their global workforce.

Application Security

Many developers and security people admit to having experienced a breach effected through compromised API credentials.

Funding/M&A

Twenty-one cybersecurity-related M&A deals were announced in December 2022.

CISO Conversations

In this edition of CISO Conversations, SecurityWeek speaks to two city CISOs, from the City of Tampa, and from Tallahassee.