Research@DBTA: The State of Data Security, 2009: Budget Pressures Lead to Increased Risks

Corporate management is complacent about data security. Efforts to address data security are still ad hoc, and not part of an overall database security strategy or plan. Companies are not keeping up with the need to monitor for potential risks. More monitoring tends to be ad hoc or on-the-fly, versus more organized or automated systematic approaches. These are the findings from new research from Unisphere Research and the Independent Oracle Users Group (IOUG), which shows that the recent economic downturn has taken a toll on data security efforts within enterprises. At a time when security threats are on the rise, a new study finds that security-related spending is flat or down in more than half of 316 organizations surveyed. The survey, conducted in July and August 2009, finds that only 28% of companies have increased their IT security-related spending, down from 41% in a similar survey conducted the year before. About 13% say spending has actually decreased - a three-fold jump since a similar survey conducted in mid-2008.

The study, "IOUG Data Security 2009: Budget Pressures Lead to Increased Risks," sponsored by Oracle Corporation, also finds that to add fuel to the fire, in the same efforts to increase operational efficiencies and contain costs, many organizations are also turning to outsourcing and offshoring. The study finds, in fact, that there has been a measurable increase in the outsourcing of database administration, development and testing functions since the previous survey in 2008-up to 40% over the past year.

Organizations have been holding off on comprehensive security efforts as part of a tough economic climate. But they don't realize that these savings are often illusory. Cuts in security initiatives have left critical enterprise data susceptible to costly intentional or unintentional breaches. Additionally, valuable resources are wasted as IT staff tries to meet the organization's data security and compliance requirements manually, or try to patch together point solutions. Organizations need to approach data security holistically and systematically. Investing in database security not only reduces risks but also saves organizations time and money.

The survey also uncovered the following gaps or issues in enterprise data security efforts:

Managers see internal threats - such as access by unauthorized users-as more pressing than external hackers or viruses. Potential abuse of access privileges by IT staff also ranked highly as a perceived security issue. One out of four cited lack of management commitment and lax procedures as exposing their data to risk.

More data is being sent to off-site third parties. The survey found more companies are turning to specialized third-party vendors for data administration and application development-a direct result of cost-cutting initiatives. About 36% now outsource, up from 28% a year ago. However, this opens data to all kinds of new threats - well beyond the control of the original data owners.

Awareness of the importance of data encryption is up, but fewer companies are actively applying encryption across all their data assets, whether data is at rest or in motion. A third even ship live unencrypted production data off-site.

Close to half of organizations employ actual production data within non-production environments, thereby exposing this information in unsecured settings. To make matters worse, here has been a decline in companies "de-identifying" such sensitive data.

More production data is being sent to nonproduction sites.  Close to half the respondents, 46%, say live production data - which could include credit card numbers and other sensitive data - is being used with non-production environments, such as development shops, testbeds, and back-up sites.

Most organizations do not have mechanisms in place to prevent database administrators and other privileged database users from reading or tampering with sensitive information in financial, HR, or other business applications. Most, 61%, are still unable or not aware if they can even detect such breaches or incidents. Half of the group say they track privileged user activities - down from 68% a year ago.

Effectively managing and deploying enterprise data means achieving competitive edge, and most companies recognize the importance of keeping this data secure. However, in many cases, enterprise data security has fallen to the budget knife in today's economy. This is a miscalculation, because many companies incur greater costs when data security is lacking and significant staff resources are spent attempting to meet security and regulatory compliance with point solutions.