Survey: information security's big, gaping hole remains wide open

Companies' administrators, privileged users, and developers are entrusted, in a very informal way, to do the right thing with sensitive data such as credit card and Social Security numbers. Is this good policy?

While companies have been fairly vigilant in setting up firewalls and authentication systems to ward off hackers from sensitive corporate information, there is still a big, gaping hole in most enterprise data stores through which a lot of valuable data could be pilfered or compromised. That is, most companies do not adequately protect data that is being transferred or copied from the original data source to another part of the enterprise, or to a third-party partner.

Essentially, companies' administrators, privileged users, and developers are entrusted, in a very informal way, to do the right thing with sensitive data such as credit card and Social Security numbers. However, as a check on known data breaches from the Privacy Rights Clearinghouse shows, many incidents occur when a third-party vendor loses a laptop or a portable drive through theft or forgetfulness.  What's protecting data that sits on these laptops or thumb drives?  Or what happens if one of your own employees, an application developer, takes data out of the building?

These are the findings of a survey I recently helped design and publish, as part of my work with Unisphere Research, of 430 members of the Independent Oracle Users Group (IOUG). (Executive summary available at the IOUG research portal.) This study of IOUG members’ information security practices was first conducted in 2008, and then again in 2009. Things have not improved much during that time -- many security efforts may have been put on a back burner due to stresses on IT budgets during the recent economic slowdown.

For example, fewer than 30 percent of respondents are encrypting personally identifiable information in all their databases. Although slightly up from last year, this finding is startling given the number of existing data privacy and protection mandates that specifically call for data-at-rest encryption.

In addition, close to two out of five of respondents admit that their organizations ship live production data out to development teams and outside parties. More than one-third admit that the data is unprotected, or simply don’t know if it is protected. In many cases, the data consists of sensitive or confidential information.

Interestingly, in many of the write-in comments that came in with the survey results, some respondents said that they felt that their data was secure mainly because their databases were not connected to the Internet.  However, if the bare naked data is changing hands within the enterprise -- and even being shipped out to third-party sites such as application partners or disaster recovery sites -- all bets are off.

Encryption, data masking, or de-identification are strategies every organization needs to address -- no matter how much you trust your privileged users, and even if the nearest Internet connection is miles away.

There are also management and cost implications to data breaches , as explored in a recent report from Deloitte, covered at this site.

(Photo credit: CBS News.)

This post was originally published on Smartplanet.com

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
See All
See All