informa
Products & Releases

Survey Of Security And Audit Pros, DBAs Reveals Responsibility Disconnect, Lack Of Management Commitment Impedes Database Security Efforts

Results reveal that the greatest challenge to database security may actually come from organizational issues
NEW YORK, January 30, 2012 Application Security, Inc. (AppSecInc) the leading provider of database security solutions for the enterprise and Unisphere Research, today unveiled the findings from the “Data Security At An Inflection Point: 2011 Survey Of Best Practices And Challenges.” The survey polled 524 enterprise IT and data managers, and the results reveal that the greatest challenge to database security may actually come from organizational issues, rather than nefarious or accidental acts. In most cases, database security is overseen by both database and security teams, thereby yielding a disconnect in ownership responsibilities as well as a lack of consensus on top priorities. According to respondents, Management, while showing increasing signs of threat awareness, continues to offer inadequate financial support.

Significant to the study was that the vast majority of those surveyed (81%) indicated that data security risks posed to their organizations have increased over the past three years. Among those that feel there is a greater risk today, four in five acknowledged that the greater technical proficiency and overall boldness of outside hackers and other malicious third parties was the leading factor contributing to the growing challenges.

Management Awareness Is Growing, Commitment Is Not

It was not surprising to learn that the recent onslaught of hacktivist activity from those such as Anonymous and LulzSec have caused more than half of the respondents’ organizations to step up their data security efforts. A majority (51%) report that news of these prominent attacks has led to increased protection. Thirty-six percent of respondents increased audit frequency as a result of the more dangerous threat environment.

Hacktivism generated additional security measures in 34% of the respondent companies due to increased concern among top management and board members. However, only 14% of companies in the survey reported additional funding for data security technologies and just 11% experienced additional staffing or consulting support. So, while there is increased management concern, it does not appear as if it has translated into additional support and commitment. As a result, DBAs and security pros are faced with the expectations of doing more with less.

“While it is evident from the survey’s findings that awareness of the sophistication levels and threats of outside hackers has been heightened, enterprises continue to engage in lax database security,” said Joe McKendrick, Lead Analyst, Unisphere Research. “Data security not only relies on good technology, but also effective and committed management. It remains unclear as to why management is unwilling to fully heed IT managers’ warnings about impending threats to the business.”

Head In The Clouds? Yes, But Not “The” Cloud

Data security issues are a major concern when organizations are faced with the challenge of moving data into the cloud. The survey’s results revealed that 19% of respondents have tested the waters in deploying databases in private cloud or virtualized environments, but just 2% are operating in the public cloud. Nearly two-thirds (63%) say that data security issues are the number one challenge when considering public cloud deployments. The group was more comfortable with private cloud deployments, although 45% still cited security as the top concern.

The survey results indicate that organizations still have plenty of work to do in traditional environments before taking on newer initiatives. Despite two-thirds of respondents contending that their companies did not have a confidential data breach over the past 12 months, only 12% felt confident enough to say that it is “highly unlikely” that they will experience one in the next 12 months.

Of those surveyed whose organizations did suffer a data breach and had knowledge of the resulting costs, roughly one-third (32%) stated that it cost their companies over $100,000 and 11% reported that costs exceeded $1 million.

Alarmingly, 83% of respondents concede that not all of their databases are adequately protected or unsure whether they are. Similarly, less than one quarter (24%) feel as if all of their confidential data is adequately protected.

It’s Not All Bad News

On a positive note, incremental progress is being made as it relates to database security, albeit at a slow pace. Two-thirds of organizations from the survey do conduct database security audits or assessments at least once per year and nearly half of the companies (44%) are currently using automated tools to monitor production databases for security issues.

Among companies that regularly conduct audits, more than half (53%) experience audit findings each time and one-third (32%) were unsure of the findings. A slim 11% indicated that they experienced no audit findings. Among the more prevalent audit findings were configuration issues (24%) and default IDs and passwords not changed (22%).

The six-part, 44 question survey explored and revealed information about the current state of database security across organizations of varying sizes across a wide range of industry groups. To download a copy of the report “Data Security At An Inflection Point,” please click here or visit: http://www.appsecinc.com.

“As the adversaries show growing boldness and escalate their database attacks, organizations must improve communications and quickly come to agreement on how to address database security policies and procedures,” said Thom VanHorn, Vice President of Global Marketing, AppSecInc. “This report, like others before it, provides strong evidence of the internal disconnect that continues to plague companies of all sizes. Until this issue is resolved, the escalation of database breaches will continue.”

Survey Webinar and Report Information:

AppSecInc will be hosting a webinar to discuss the research findings. Joe McKendrick, Lead Analyst for Unisphere Research, and Thom VanHorn, Vice President, Global Marketing, AppSecInc will present a detailed overview of the findings and the implications for enterprise organizations.

Title: Data Security At An Inflection Point

Date: Tuesday, February 7, 2012

Time: 11:00 AM - 12:00 PM EDT

Register: Click Here To Register

In December 2011, AppSecInc conducted a webinar titled, “Can’t We All Just Get Along? Bridging the Gap Between Security Pros and DBAs” where one CISO and DBA Supervisor tandem shared the story of how they worked together to put a database security strategy in place for their company. Moderated by AppSecInc CTO Josh Shaul, Protiviti’s Managing Director Scott Laliberte also participated and shared tales of real-world scenarios he has witnessed and lessons learned. To view a replay of the webinar, please visit: https://www1.gotomeeting.com/register/386129152.

About Application Security, Inc. AppSecInc is a pioneer and leading provider of database security solutions for the enterprise. By providing strategic and scalable software-only solutions – AppDetectivePro for auditors and IT advisors, and DbProtect for the enterprise – AppSecInc supports the database security lifecycle for some of the most complex and demanding environments in the world across more than 1,300 active commercial and government customers.

Leveraging the world’s most comprehensive database security knowledgebase from the company’s renowned team of threat researchers, TeamSHATTER, AppSecInc products help customers achieve unprecedented levels of data security from nefarious or accidental activities, while reducing overall risk and helping to ensure continuous regulatory and industry compliance.

For more information, please visit: www.appsecinc.com | www.teamshatter.com

For a free database vulnerability assessment visit:

http://www.appsecinc.com/downloads/appdetectivepro/

Follow us on Twitter: www.twitter.com/appsecinc | www.twitter.com/teamshatter

Recommended Reading: