Information Security Hampered by Culture of Complacency - and Misunderstanding

While few organizations are cutting back on data security spending, there is great uncertainty as to the depth of organizational support.

A new survey of database administrators and managers reveals that a pervasive culture of complacency hampers information security efforts, and as a result of lax practices and oversight, sensitive data is being left vulnerable to tampering and theft. While tools and technologies provide multiple layers of data security both inside and outside the firewall, organizations appear to lack the awareness and will to make security stick.

The study, "Data in the Dark: Organizational Disconnect Hampers Information Security," was conducted by Unisphere Research among 761 members of PASS, the Professional Association for SQL Server, in September 2010. The survey was fielded in partnership with Application Security, Inc.

The survey found that while few organizations are cutting back on data security spending, there is great uncertainty as to the depth of organizational support. Four out of 10 database managers and professionals - the group most likely to be charged with data security - are largely unaware of the scope of budget support, suggesting a critical disconnect between corporate management and technology teams about data security priorities. Interestingly, a similar survey conducted by Unisphere Research among Oracle database managers and professionals found the same levels of disconnect across the board, indicating that the major issues hampering information security come from management culture, not from underlying technology solutions.

More than half of respondents to the PASS survey say their information security efforts are held back by budget constraints. Four out of 10 add that there is a lack of understanding within their enterprises about the nature of data security threats.

In fact, while one in five respondents fear that their organizations will experience a major data breach over the coming months, few are aware of the potential costs to their organizations. Among those respondents that are aware of where data security breaches have occurred, they cite a pattern of inside abuse and errors.

Inside abuse and errors are areas of great vulnerability, the survey reveals. Two-thirds of respondents say simple human errors-such as a bad script implemented by a DBA or a data-entry error -are their greatest data security concern. Unintentional breaches or mistakes is one concern; intentional breaches by insiders is another. The second-leading concern cited by respondents is abuse, cited by close to half. The potential for inside abuse may range from privileged users such as DBAs or developers, as well as super-users. Outside contractors who handle sensitive data may also compromise information security. Many of the well-documented cases of data loss or theft seen in the media result from careless or abusive practices by third-party vendors. In fact, fear of external hackers ranks fifth on the list of information security concerns.

While there is a considerable amount of personally identifiable information present at respondents' sites, many respondents report there are few controls to protect the data. More than half of respondents report that they make "old" or outdated production data available to others, including those involved in staging, development, and backup. However, the risk is that some personally identifiable information may never become outdated. Intensifying the problem is the fact that more than four out of 10 respondents say they make live production data available to other functional areas.

In many instances, multiple copies of this data-including live production data - is frequently sent offsite. Copies of production data are sent to third-party backup or mirror sites, or to development shops.

In addition, respondents report there is not enough being done to track and monitor what is being done with the data being managed across enterprises. This has far-reaching business implications, since a majority of respondents say their organizations are affected by government and state mandates that require more judicious data management practices. However, a significant portion of respondents report that they don't have or aren't aware if security audits are in place to meet more rigorous standards.

In fact, the survey also finds there is little monitoring for security issues going on, and few respondents report they are adopting security patches as they become available. Adding to the challenge, a number of respondents report that organizational support is not always forthcoming. As one survey participant observed, echoing the tone of the survey findings, "I seem to be more concerned about security than my management."