2008 IOUG Data Security Report Now Available

Yesterday the IOUG announced the results of the survey conducted in August. The report is entitled Enterprise Data Insecurity: Are Organizations Prepared for the Threat From Within? and you can download it here. The key findings were pretty troubling:

  • One out of five respondents expects a data breach or incident over the coming year. Only one out of four said all databases are locked down against attacks.
  • Organizations see the greatest risks from internal access, either by unauthorized users, or by "super users" such as administrators with access privileges.
  • Most organizations do not have mechanisms in place to prevent database administrators and other privileged database users from reading or tampering with sensitive information in financial, HR, or other business applications. Most are unable to even detect such breaches or incidents.
  • Sending out data to outside parties is now a common practice.
  • One out of four sites covered in this survey do not encrypt data within their databases, and close to one out five are not even sure whether this encryption takes place.
  • Two out of five organizations employ actual production data within non-production environments, thereby exposing this information in unsecured settings.
  • There is growing awareness of potential risks. Most organizations monitor their databases for changes that may be indicators of malicious activity.

    I won't say more for now and let everyone take a look at the report and digest. I will be blogging more on various aspects of the report over the next few weeks. And if you haven't already tried our enterprise data security self-assessment tool give it a try. We don't track any of the results so it's really just a way to learn more about what you can be doing to protect your databases and comply with regulatory requirements.

  • Comments:

    It'll only take a single breach and the negative publicity that'll ensure and/or the certain (likely financial) stick that comes as a result of non compliance and these guys will wise up. In the meantime consumers and citizens alike play security roulette with their personal data anytime they transact online. Why can't these guys at least begin encrypting everything for the inherent security benefits?

    Posted by Gregory on September 22, 2008 at 03:25 AM PDT #

    Hi Greg, I think a lot of organizations still operate under the premise that security = firewalls. Many security groups are just now waking up to the fact that the asset that they really need to be protecting is data and that data can be accessed from inside and outside the firewall. If anyone else thoughts on this, feel free to jump in...

    Posted by Roxana on September 22, 2008 at 04:09 AM PDT #

    Hi Roxana, Thanks for posting on this, it is a really hot topic for us (data integrity specialists) but unfortunately very few CISOs are walking the talk. There is a wide recognition of the insider threat but very little investment beyond "compensating controls" :-( Encrypting is a must but does not solve it all. How can we prevent "super privileged users" from tampering with critical data? Most of the time they do not act maliciously but corrupt data by accident, still it is easy for them to cover their tracks and you won´t ever know what has happened. I will follow this thread and look forward to your new posts.

    Posted by Christophe on September 30, 2008 at 12:45 AM PDT #

    Post a Comment:
    • HTML Syntax: NOT allowed
    About

    Who are we?

    Follow us on

    • TwitterFacebookLinkedIn

    Search

    Archives
    « July 2014
    SunMonTueWedThuFriSat
      
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
      
           
    Today