A study among database professionals reveals the biggest concerns about data breaches come from fellow employees and mistakes.
Database professionals see malicious insiders and human
error as the biggest risks to database security, not external intruders,
according to a recent research study.
In a study of 216 members of the International Sybase Users
Group, more than half of the respondents felt that human error was the biggest
risk to the organization's data security, Application
Security said May 18. The database security vendor commissioned the study
with Unisphere Research.
About 56 percent of non-financial organizations in the
survey felt that human error was the biggest challenge and 24 percent said
malicious insiders abusing privileges was the greater threat, according to the
study. The numbers were even more striking amongst financial services
organizations in the study, with 77 percent concerned with human error. About
48 percent of the respondents in financial services organizations worried about
insiders misusing privileges. Nearly a quarter of the total respondents came
from financial services organizations.
"The threat comes
from inside, and usually is accidental," a database administrator with a
manufacturing company told researchers from Unisphere Research.
Their concerns seem to have some grounding in reality, as nearly
two-thirds of the organizations that had a data breach over the past few months
reported it was either human error or an insider attack. Databases and
associated Web applications were the most frequent targets.
Information security needs to be applied "just as
forcefully" within the enterprise as outside, according to Joe
McKendrick, lead analyst at Unisphere Research and author of the report.
Organizations often fail to protect information that moves between departments
or between business partners, according to McKendrick.
Very few companies in the survey were actively protecting
the data, or regularly monitoring and auditing for security breaches. The majority
of respondents admitted there were many copies of their production data, but
said they did not have direct control over the information to do anything about
it. Only 20 percent took "proactive measures" to mask or shield the data from
others. Compliance requirements have some impact on data security, the report
found. However, data security audits are "few and far between."
Organizations were also not taking advantage of technology
to automate some database security activities, such as managing database
configuration, patches, audits, user rights and threats.
Organizations need to focus on ensuring database security
best practices are in place, said Thom VanHorn, vice president of global
marketing at Application Security. "Until they do, the breach madness is
certain to continue," VanHorn said.
Despite the concerns and lack of monitoring, the respondents
seemed optimistic about chances of a data breach occurring in the immediate
future. The majority of respondents, at 73 percent, felt most or all confidential
data was adequately protected and more than half, at 56 percent, said a data
breach was unlikely in the next 12 months. A mere 2 percent believed that an
internal or external data breach in the next year was "inevitable."
"When you look at the survey results as a whole, some of the
data just doesn't add up," said McKendrick. "On one hand, users feel that they
are doing an effective job in providing data security for their organizations,
yet the data from some of the more pointed questions yield answers that are in
direct conflict with that notion," McKendrick said.
There was a "wide disconnect" between what IT managers in
charge of database security and what senior management viewed as important,
according to McKendrick. People in charge of data security have no visibility
over what the company's IT spending looks like, the study found. About 45
percent of the respondents were unable to say whether their organization' data
security spending has changed since last year.
The largest group of respondents in the survey was database
administrators, but programmers, developers and IT managers were also included.
About a quarter of the respondents were in organizations with more than 10,000
employees. The report was conducted in February.