Database Security Shortcomings Raise Red Flags

by Brian Prince

Roughly the same percentage of people in the 2009 survey declared a data breach was either “inevitable” or “somewhat likely” as they did a year ago. However, the report also found that 9 percent had experienced a data breach over the past year—a slight increase from 2008, when it was 6 percent.

The survey only found a slight change in database securitys rank next to other IT security priorities. But the drop-off here is also taking place in the context of a slowdown in security spending. Thirteen percent said their security budget decreased, as compared with 4 percent in 2008, and even though 28 percent reported a spike in their security spending, that compared with 41 percent last year.

Some 25 percent said all their databases were securely configured, which was a drop-off of 3 percent from last year. While 40 percent said “most” of their databases were configured securely, it should also be noted that the percentage of people who said they were not sure where all their sensitive data is located jumped by 8 percent.

Even as data breaches such as the one that occurred at LendingTree underscore the dangers of the insider threat, the survey shows that many organizations have not made much progress in safeguarding against abuses by privilege users.

More than a third of users can access application data in the database using ad hoc tools.

There has been a slight increase in outsourcing of database administration, most likely in response to the economy. However, the percentage of unencrypted databases being sent offsite crept up as well.

More than 40 percent said they do not encrypt their online and offline database backups and exports. About a third said they did some limited encryption of the data.

The figures here are roughly the same as in 2008. However, just 42 percent said they would be able to detect an unauthorized configuration change on most of their databases. That compares to 51 percent last year.

IOUG speculates that budget cuts and a lack of resources may account for the discrepancies between 2009 and 2008 found here.