A new survey of 430 members of the Oracle Applications Users Group (OAUG) reveals that organizations lack a sense of urgency about securing critical data, and the greatest challenges to securing application and data environments are primarily organizational and budget-related.
The survey was conducted by Unisphere Research, a division of Information Today, Inc., in partnership with Application Security, Inc. (AppSec), a provider of database security, risk and compliance solutions, in December 2010.
According to the OAUG's 2011 Data Security report, "Managing Information in Insecure Times," 53% of respondents stated that budget was the greatest impediment holding back information security efforts. Thirty-three percent claimed a lack of an understanding of the threats prevents them from rallying support for countermeasures. And more than one-quarter of respondents cited a disconnect between IT teams and executive management as a major impediment to implementing proper security measures.
The study shows a serious lack of understanding and concern for data and application security in today's organizations, according to Thom VanHorn, vice president global marketing at AppSec. With the increased number of threats and the acceleration of database attacks, organizations' failure to support and implement proactive data security measures is an invitation for disaster.
And, according to VanHorn, what the study doesn't say is almost as important as what it does. "First off, 80% of these folks say they have a role in or are responsible for data security and application security, but it is a little disheartening that there are so many ‘I don't know' and ‘I'm not sure' answers," he says.
"If you want to make this stuff work, there needs to be empowerment and there needs to be ownership. My take-away from the study is that there is a lack of communication, there is a lack of buy-in at the highest levels, and there is not a focus on implementing best practices. This is critical information - your information and my information - that they are storing, and we just don't see a true understanding of how they implement best practices and how they go about securing the data, and what the threats really are," says VanHorn. "On some level, I think organizations have failed their customers when it comes to protecting their sensitive information."
A breach can cause serious repercussions for a company, but it also can create have time-consuming and expensive problems for individuals as well, VanHorn says.
Citing industry figures that over half a billion records have been compromised since 2008, according to VanHorn. However, he notes, "As we see time and time again, a lot of times breaches aren't discovered until after the fact and a lot of times organizations don't know how many records were breached. " If 500 million-plus records are thought to have been compromised, in reality, it is probably well over a billion, with incidents that have not been reported or breaches that just can't be quantified, he says.
During a period when the proliferation of cloud computing is increasing, the report found that 45% of the respondents see some risk in the rise of "private cloud" computing and were concerned about the security implications of sharing data and application services outside of their business units. While cloud computing continues to be a growing industry trend, three out of four have not defined a strategy for cloud security.
Adding to the risk, a large segment of companies rely on third parties external to the organization's firewall to help manage application and data environments. Nearly 40% respondents indicate that they outsource or offshore at least some of their database and application administration functions.
Cloud computing, whether public or private, is very new, and so, people are very concerned about it, observes VanHorn. Despite concerns that emerged in the study about private clouds in which the availability of on-demand shared services is provided to internal departments or lines of business within enterprises, VanHorn says, "I do think that a private cloud allows you more control than a public cloud." No matter what the service level agreement is with the external cloud provider, he says, at the end of the day, if that data were to get breached, customers are going to hold responsible the organization with whom they do business directly, not the cloud provider.
To download a copy of the report "Managing Information in Insecure Times," go to the Application Security, Inc. website at www.appsecinc.com.
For more information about the OAUG, visit the website at oaug.org.