Organizations Fail to Support Database Security Deployments and Training; Database, Audit and Security Departments Fail to Communicate or Take Responsibility

Complacency is hampering information security efforts, resulting in lax security practices and oversight, and leaving sensitive corporate data vulnerable theft. That was the general conclusion according to the results of a survey of database administrators and managers released today.

Application Security, Inc. (AppSec), a provider of database security, risk and compliance solutions, and Unisphere Research, today released the findings of its 2010 Database Security report, “Data in the Dark: Organizational Disconnect Hampers Information Security.” The study polled Professional Association for SQL Server (PASS) members across 761 organizations, and the statistics reveal that companies suffer from a false sense of Security.

The report notes that while few organizations are cutting back on data security spending, there seems to be uncertainty as to the depth of organizational support. Database managers and professionals —the group most likely to be charged with data security—are largely unaware of the scope of budget support, with 39 percent saying they are unaware of the funding available. This disconnect between corporate management and IT teams on data security priorities is resulting in fear in the eyes of database professionals. The survey showed that one in five respondents fear that their organizations will experience a major data breach over the coming months, but few are aware of the potential costs to their organizations.

According to a study conducted by Perimeter E-Security the average cost per compromised record was $204 and a loss of the valued trust of their customers, with the average total cost of a data breach rose to $6.75 million in 2009.

According to the Data in the Dark report, approximately 75% of respondents, the majority of whom are database administrators, are responsible for protecting their organization’s database. However, 54% of respondents said production databases are out of their direct control.

In addition, the report found that 40% of respondents were unaware of their organization’s IT Security spend, with 57% having no idea of the potential cost impact of a large-scale data breach. Nearly half of the study’s respondents said that a database breach would have greater impact on organizational security than any other IT component.

“Our study highlights a glaring lack of focus and communication regarding data security in today’s organizations,” said Thom VanHorn, Vice President Global Marketing, Application Security, Inc. “This shortfall in the delivery of proper data security best practices translates directly into vulnerable systems, lost dollars and customer distrust.”

Other key findings from the database security report:

• 66% state that production data within their database environment is located, or consistently being sent outside their organization, contributing to a heightened vulnerability profile.

• 50% monitor the database for changes, but only 20% monitor for privileged user activity. Meanwhile, 35% state they don’t know what their capabilities would be in this capacity.

• Approximately 1 in 3 organizations say that current controls are inadequate when it comes to securing the database.

• 55% say that their biggest impediment to effectively securing the database is an inadequate IT Security budget.

• 33% of respondents state that their database environment is audited annually, while nearly half (42%) replied that they are unaware of database audit results.

• 33% of respondents state that they are not monitoring for unauthorized access or database configuration changes.

• 65% state that the greatest risk to protecting database assets is human error, implying that a large percentage of organizations continue to rely on manual and error prone processes.

“The research we conducted suggests a fundamental lack of ownership relative to safeguarding database assets,” said Joe McKendrick, Analyst, Unisphere Research. “We found that the PASS membership user population feels they are ill-equipped to make security decisions, perform security functions and acquire security technology to do their jobs effectively. More collaboration is necessary, as well as a much better understanding of the threat landscape.”

Who is Responsible for Database Security?

Source: Data in the Dark—2010 PASS Database Security Survey produced by Unisphere Research and sponsored by Application Security, Inc.