The Ponemon Institute, an Elk Rapids, Mich.-based data security and privacy research group, surveyed nearly 650 IT professionals recently to determine whether they secure and monitor data for suspicious activity. About 40% of the shops were running Microsoft SQL Server databases.
The study, called "Database Security 2007: Threats and Priorities within IT Database Infrastructure," was released earlier this month.
"Organizations that fail to protect their data effectively are proving to be easy targets and are often left to contend with considerable damage to their reputations and final results," said Larry Ponemon, founder and chairman of the Ponemon Institute.
Ponemon said 40% of the IT departments queried said they don't monitor their databases for suspicious activity, nor were they even sure if anyone at their companies monitored the databases.
The study asked IT managers what type of data ranked highest in importance across the enterprise. The managers said intellectual property was most important, followed by business confidential information, customer and consumer data, and lastly, employee data.
Survey takers were asked to rank their priorities but the study didn't break out the differences in the percentages between each category in the rankings.
Ponemon said he was surprised that IT shops did not consider securing customer data as a higher priority. "When you consider the number of breaches affecting consumer data and the negative repercussions in terms of cost, loss of trust and bad publicity, you would think that companies would have gotten the message by now," he said.
"Customer data should be regarded in the same manner as intellectual property," he added. "Once that shift occurs, I think you'll begin to see a reduction in the number and severity of breaches."
For some IT departments, protection of customer data was forced down the list because of competing priorities in a tight budget, the study showed. Also, daily business demands can force the IT department to put its effort into upgrading existing applications, improving operating efficiencies and system optimization rather than building in better security, the survey results said.
One IT director who has developed a database security plan is Paul Wilson, database technology director for Gomez Inc., based in Lexington, Mass. His company has 70 Microsoft SQL Server 2005 sites, and 130 databases used by customers around the world manage and monitor online application performance.
"The biggest step for us as far as security is concerned was to make sure the database servers are completely firewalled off from the Internet," Wilson said, adding that it's key to avoid direct links to the Internet, which makes it easier to launch attacks.
Also, Gomez said his customers have to properly access a number of Web servers to get the data that is collected for them.
Other companies know that corporate data is important even if it goes unmonitored. Ponemon's study showed 53% of IT managers rated corporate data as "critical" to the company and another 25% rated it "important." Only 2% of the companies said their databases were unimportant to the business.
For Gomez the databases are the business, so his company must protect them, and the business rests on its protection, he said. Gomez created its own applications to monitor database access and data use, setting off alerts when there is some impropriety.
Application Security Inc., a New York-based security software company, sponsored the research, but the company did not have input in survey development, Ponemon said, nor did it analyze the results.