Research@DBTA - Data Security Misperceptions Unveiled

These days, many companies recognize that there are severe repercussions to ignoring or undervaluing data security, and a sizable segment of organizations-at least one-third in many cases-have been taking additional measures to bolster their data security.

New research shows that data security efforts are recovering from the recent economic downturn, and budgets are on the upswing. However, while companies continue to place a high priority on security, according to a survey of 430 members of the Independent Oracle Users Group (IOUG), conducted by Unisphere Research, many are not taking proactive steps to address the most likely sources of security breaches-internal administrators and privileged super-users. The survey finds that 43% of companies have increased their IT security-related spending, up from 28% in last year's survey and 41% in the 2008 survey. Only nine percent say spending has actually decreased.

To help organizations take control, tools are needed to answer the question definitely of who is doing what, when and where. The IOUG survey, sponsored by Oracle Corporation, looked at approaches being taken by organizations to boost data security.

There's a lot of data now moving inside and outside organizations, with limited attempts at protecting the data, the survey finds. As a result, a large number of companies put their corporate data at risk. For example, more than one-third report they outsource or offshore their database or application administrative functions to an outside provider. That means management control of data is handed off to another party outside the firewall.

Even larger numbers of respondents report their companies outsource database development and testing. Close to half of respondents, 47%, report they either extensively outsource development or test functions, or do so on a limited basis.

Data that remains within the confines of the enterprise isn't necessarily guaranteed secure, either. In many cases, copies of production data-containing sensitive information such as credit card numbers, Social Security numbers, and financial information-is sent to other parts of the organization, such as development teams or mirrored sites. The survey finds that close to two out of five organizations ship live production data out to development teams and outside parties.

The challenge is that much of the data being used for these efforts is often live production data that is not encrypted, masked, or de-identified. In fact, close to one-third admit that they send unencrypted database backups or exports off-site, to storage facilities, business partners, or other data centers.

Three out of four organizations do not have a means to prevent privileged users from tampering with or compromising data from the inside. While most respondents are attentive to monitoring changes made to their databases, many don't know how quickly they could respond to an incident. At best, many could not catch and address an incident within the same day that it happens. Likewise, while most organizations rely on audits as the primary focus of their security strategy, only a handful could respond within a matter of hours to assess the scope of a security breach. In fact, most audits occur infrequently, if at all.

Close to one out of three respondents say it is highly likely that a data security breach could occur within their organizations over the next 12 months. It may only be a matter of time before organizations or their customers are victimized by a serious security breach, which doesn't have to come from a hacker in Eastern Europe, but could be caused by a trusted employee within the enterprise or an outside partner. "We plan to encrypt backups soon-it just hasn't happened yet," one respondent relates. "I suspect that Social Security numbers will soon have to be encrypted in the database, but so far management has not put a priority on that issue. Our greatest risk is probably that of a rogue employee running amok. We'd know about it soon enough, but it might be too late to avoid serious damage."

The survey covers a range of organizations, including IT services firms, utilities and telecom organizations, educational institutions, government agencies, financial services firms, healthcare organizations, and manufacturers. Half of the respondents are database administrators, and about 20% are managers and executives. Ninety percent have a role in data security management in their organizations.