Fewer than 30% of the 430 respondents to a new survey conducted by the Independent Oracle Users Group (IOUG) say their organizations are encrypting personally identifiable information in all their databases. Although that percentage is up slightly from last year, the finding is surprising given the number of existing data privacy and protection mandates that specifically call for data-at-rest encryption.
The executive summary of this study is publicly available from the IOUG, and IOUG members can log in to access the full report.
The survey was conducted in May 2010 by Unisphere Research, a division of Information Today, Inc., and was sponsored by Oracle Corporation. Prior to this survey, a study of the IOUG members' information security practices was first conducted by Unisphere Research in 2008, and then again in 2009.
While most respondents to the 2010 survey say they are increasing their investments in security and putting in place measures to protect their information, many also feel that these safeguards are not sufficient, according to the executive summary of the research.
Among other troubling findings from the 2010 survey, is that close to two out of five respondents' organization ship live production data out to development teams and outside parties, yet more than one-third admit that the data is unprotected or that they simply don't know if it is protected. In many cases that data consists of sensitive or confidential information.
And, three out of four respondents' organizations do not have a means to prevent privileged database users from reading or tampering with HR, financial, or other business application data in their databases. Many of the respondents that felt that they could prevent such activities believe they could do so by relying on auditing and recovery processes, and were reacting rather than preventing.
Many respondents believe that the greatest risk to their data security is that of a rogue employee running amok, which they believe they would find out about, but perhaps too late to avoid serious damage.
Some respondents also feel that their data is secure mainly because databases are not connected the internet, a false comfort considering that a majority of respondents' organizations do not apply critical patch updates that are intended to address security vulnerabilities in a timely manner, or take steps to ensure that all their internet-facing applications are not subject to SQL injection attacks.