Welcome to the SecAware blog

I spy with my beady eye ...

9 Jun 2007

Privacy and insider threats collide in databases

A Ponemon Institute survey into database security found that:
"- Trusted insiders remain a significant, and largely unmonitored risk
- A majority of organizations do not have the technology or processes required to effectively manage against insider threat
- Due to perceived business value, many large organizations assign lower priority to the protection of customer and employee data versus intellectual property
- The vast majority of data exposed in the past two years has been confidential customer and employee information.
The survey found that “trusted” insiders’ ability to compromise critical data is the most serious concern for respondent organizations. Despite this concern, fifty-seven percent of those surveyed do not believe that their organizations have taken adequate measures to protect against malicious insiders and fifty-five percent do not believe that they have taken adequate measures to protect against “data loss.”
The survey also found that despite being aware of these threats, inadequate protection of corporate databases is the norm rather than the exception. Forty percent of those surveyed do not have the mechanisms in place, or are unaware of whether databases are monitored for suspicious activity. This shortfall can be attributed to the massive scale of corporate data stores and the lack of IT resources. Eighty-eight percent of those surveyed manage greater than one hundred databases and a majority of respondents manage in excess of 500 databases."

Although the survey was sponsored by a company with a vested interest in database security, the survey sample was large enough for the results to be statistically significant. The Ponemon Institute is a respected survey institution, for instance including notes in the report about possible biases in the respondants and responses. To a non-scientist, it may seem perverse that pointing out possible weaknesses in the method actually makes is stronger, but better that than to ignore or gloss over them.

As to what needs to be done about database security, the survey commentary merely suggests a few hints e.g.:
"Among core security and IT professionals, operational efficiencies and system optimization are consistently higher priorities than efforts related to Sarbanes-Oxley, PCI, NIST 800-53 or other similar compliance initiatives ... our results show that intellectual property and business confidential information in databases is not generally protected. Even in the face of frequent, expensive, and highly publicized breaches, respondents have not made protecting customer and employee information a high priority."

... so priorities need to be adjusted (but how?).

Perhaps Lloyds TSB has (part of) the answer?

No comments:

Post a Comment