Large organizations continue to struggle to lock down their critical database assets despite years of work aimed at doing so, according to a new report issued by Enterprise Strategy Group.
According to the paper, authored in cooperation with database security vendor Applications Security Inc., over 60 percent of the 175 North American enterprises (1,000 or more employees) surveyed by ESG during Oct. 2009 readily admitted that their existing database controls do not sufficiently protect their sensitive electronic information. Respondents to the survey represented over 20 industries in the public and private sectors, the researchers said.
Alarmingly, some 70 percent of the organizations participating in the report indicated that they don't believe that they even have well-defined database controls in place, a number that has to be seen as truly shocking given the all of the high-profile data breach incidents reported over the last five years, and all the resulting industry and government data security regulations that have arisen as a result of those events.
The paper contends that as many as 38 percent of the organizations surveyed have already experienced failed compliance audits, which really isn't all that surprising given the aforementioned findings. Just as mystifying, some 70 percent of those interviewed claimed that they do spend a considerable amount of time preparing for both internal and external assessments.
Overall, respondents said that they only dedicate about 4 percent of their overall IT budgets on database security initiatives, but indicated that they spend about 20 percent of their security budgets in the database arena.
At the same time, while most organizations surveyed recognized that they don't have adequate controls established over the entirety of their database operations, 55 percent said that they feel that at least some of their critical information is sufficiently protected.
In regards to incidents involving data leakage of some form, respondents to the ESG survey said that 53 percent of the events resulted from human error. External attacks, which typically get far more attention, accounted for only 34 percent of data loss incidents among the participating organizations.
The companies surveyed also admitted that they are truly struggling to meet the letter of the compliance mandates that they currently face. Only 37 percent of those interviewed said that they feel capable of attaining compliance as it relates to properly protecting electronic data.
For those who admitted to failing audits, a lack of ability to address their pervasive database security struggles was cited as a primary area of concern, the experts concluded. Interestingly, internal assessments ranked with SOX as the leading type of audit failed by those reporting to ESG. This would seem to indicate that while organizations are creating stricter standards for themselves, they're still having a hard time meeting even their own measure of security.
Other standards cited by respondents included PCI, HIPPA, GBLA and FISMA.
"This year's data reflects an integrated set of risks to the enterprise database, and a clear lack of understanding of what it takes to protect confidential information," Jon Oltsik, senior analyst with Enterprise Strategy Group said in a report summary. "Enterprise organizations still feel somewhat protected, but the data suggests otherwise. There's a vital need to overhaul the internal access controls process, as well as educating senior management and re-prioritizing database security budget allocation. This will to help eliminate ineffective manual approaches to this problem."
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.