Database Security Faces Greatest Threats from Insiders, Human Errors: Study

A study among database professionals reveals the biggest concerns about data breaches come from fellow employees and mistakes.

Database professionals see malicious insiders and human error as the biggest risks to database security, not external intruders, according to a recent research study.

In a study of 216 members of the International Sybase Users Group, more than half of the respondents felt that human error was the biggest risk to the organization's data security, Application Security said May 18. The database security vendor commissioned the study with Unisphere Research.

About 56 percent of non-financial organizations in the survey felt that human error was the biggest challenge and 24 percent said malicious insiders abusing privileges was the greater threat, according to the study. The numbers were even more striking amongst financial services organizations in the study, with 77 percent concerned with human error. About 48 percent of the respondents in financial services organizations worried about insiders misusing privileges. Nearly a quarter of the total respondents came from financial services organizations.

"The threat comes from inside, and usually is accidental," a database administrator with a manufacturing company told researchers from Unisphere Research.

Their concerns seem to have some grounding in reality, as nearly two-thirds of the organizations that had a data breach over the past few months reported it was either human error or an insider attack. Databases and associated Web applications were the most frequent targets.

Information security needs to be applied "just as forcefully" within the enterprise as outside, according to Joe McKendrick, lead analyst at Unisphere Research and author of the report. Organizations often fail to protect information that moves between departments or between business partners, according to McKendrick.

Very few companies in the survey were actively protecting the data, or regularly monitoring and auditing for security breaches. The majority of respondents admitted there were many copies of their production data, but said they did not have direct control over the information to do anything about it. Only 20 percent took "proactive measures" to mask or shield the data from others. Compliance requirements have some impact on data security, the report found. However, data security audits are "few and far between."

Organizations were also not taking advantage of technology to automate some database security activities, such as managing database configuration, patches, audits, user rights and threats.

Organizations need to focus on ensuring database security best practices are in place, said Thom VanHorn, vice president of global marketing at Application Security. "Until they do, the breach madness is certain to continue," VanHorn said.

Despite the concerns and lack of monitoring, the respondents seemed optimistic about chances of a data breach occurring in the immediate future. The majority of respondents, at 73 percent, felt most or all confidential data was adequately protected and more than half, at 56 percent, said a data breach was unlikely in the next 12 months. A mere 2 percent believed that an internal or external data breach in the next year was "inevitable."

"When you look at the survey results as a whole, some of the data just doesn't add up," said McKendrick. "On one hand, users feel that they are doing an effective job in providing data security for their organizations, yet the data from some of the more pointed questions yield answers that are in direct conflict with that notion," McKendrick said.

There was a "wide disconnect" between what IT managers in charge of database security and what senior management viewed as important, according to McKendrick. People in charge of data security have no visibility over what the company's IT spending looks like, the study found. About 45 percent of the respondents were unable to say whether their organization' data security spending has changed since last year.

The largest group of respondents in the survey was database administrators, but programmers, developers and IT managers were also included. About a quarter of the respondents were in organizations with more than 10,000 employees. The report was conducted in February.