Databases In Peril

Nearly 40 percent of enterprises fail their database security audits, and only a tiny fraction of their IT budgets go to locking down these servers, a new study says.

The report, based on a survey of 175 enterprises of 1,000 or more employees by Enterprise Strategy Group and commissioned by Application Security Inc., also found most organizations aren't confident their databases are properly secured: Sixty percent say their existing database controls aren't enough to protect their confidential data, and 70 percent say these controls are not well-defined.

"Almost two-thirds are coming out and admitting that they are not doing their job in protecting their proprietary information, and that is cause for concern," says Thom VanHorn, vice president of global marketing for AppSecInc. "And more shocking was that less than one-third feel their database controls are well-defined."

Close to 40 percent of the enterprises in the survey had failed internal database audits, and 33 percent say they had failed a Sarbanes-Oxley audit. Only 37 percent say they meet compliance requirements for protecting their data.

"This database security crisis really isn't improving," VanHorn says.

VanHorn says much of the database security gap today is a direct result of tight and flat IT security budgets. Around 47 percent of enterprises in the survey pointed to budget constraints as one of the greatest risks to the security of their databases. "What's also concerning is that less than 4 percent of IT budgets are spent on database security," he says.

Around one-third of firms say regulatory compliance will continue to influence their security strategies and purchasing during the next 12 to 24 months. And 25 percent say they spend a "significant" amount of time on manual processes, such as fixing compliance problems, database audits, and working with database auditors; 40 percent say they spend a "moderate" amount of time doing so. "That's a lot of man-hours," VanHorn says. "They are manually writing scripts to address vulnerabilities" and other issues, he says.

Aside from the man-power drain, a bigger downside of all of this manual labor is the potential for human error, which the enterprises in the study have experienced firsthand: Fifty-three percent say human error was a primary cause of their data breaches, followed by external attacks at 34 percent.

Jon Oltsik, senior analyst with ESG and author of the report, says organizations need to set up clear controls for database security and look at prioritizing database security spending. "This year's data reflects increased risk to the enterprise database, and a clear lack of understanding of what it takes to protect confidential information," he says.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.