News Stay informed about the latest enterprise technology news and product updates.

Corporate databases still go unprotected, study says

Companies that don't rate customer and employee data protection as top priorities and don't monitor databases for suspicious activity are setting themselves up as easy targets for damaged reputations.

There is much that IT shops can do to improve the way they protect and monitor the security of their valuable data in corporate databases, according to a recent study.

The Ponemon Institute, an Elk Rapids, Mich.-based data security and privacy research group, surveyed nearly 650 IT professionals recently to determine whether they secure and monitor data for suspicious activity. About 40% of the shops were running Microsoft SQL Server databases.

The study, called "Database Security 2007: Threats and Priorities within IT Database Infrastructure," was released earlier this month.

More on security testing
Hacker tricks to exploit SQL Server systems

"Organizations that fail to protect their data effectively are proving to be easy targets and are often left to contend with considerable damage to their reputations and final results," said Larry Ponemon, founder and chairman of the Ponemon Institute.

Ponemon said 40% of the IT departments queried said they don't monitor their databases for suspicious activity, nor were they even sure if anyone at their companies monitored the databases.

The study asked IT managers what type of data ranked highest in importance across the enterprise. The managers said intellectual property was most important, followed by business confidential information, customer and consumer data, and lastly, employee data.

Survey takers were asked to rank their priorities but the study didn't break out the differences in the percentages between each category in the rankings.

Ponemon said he was surprised that IT shops did not consider securing customer data as a higher priority. "When you consider the number of breaches affecting consumer data and the negative repercussions in terms of cost, loss of trust and bad publicity, you would think that companies would have gotten the message by now," he said.

"Customer data should be regarded in the same manner as intellectual property," he added. "Once that shift occurs, I think you'll begin to see a reduction in the number and severity of breaches."

For some IT departments, protection of customer data was forced down the list because of competing priorities in a tight budget, the study showed. Also, daily business demands can force the IT department to put its effort into upgrading existing applications, improving operating efficiencies and system optimization rather than building in better security, the survey results said.

One IT director who has developed a database security plan is Paul Wilson, database technology director for Gomez Inc., based in Lexington, Mass. His company has 70 Microsoft SQL Server 2005 sites, and 130 databases used by customers around the world manage and monitor online application performance.

"The biggest step for us as far as security is concerned was to make sure the database servers are completely firewalled off from the Internet," Wilson said, adding that it's key to avoid direct links to the Internet, which makes it easier to launch attacks.

Also, Gomez said his customers have to properly access a number of Web servers to get the data that is collected for them.

Other companies know that corporate data is important even if it goes unmonitored. Ponemon's study showed 53% of IT managers rated corporate data as "critical" to the company and another 25% rated it "important." Only 2% of the companies said their databases were unimportant to the business.

For Gomez the databases are the business, so his company must protect them, and the business rests on its protection, he said. Gomez created its own applications to monitor database access and data use, setting off alerts when there is some impropriety.

Application Security Inc., a New York-based security software company, sponsored the research, but the company did not have input in survey development, Ponemon said, nor did it analyze the results.

Dig Deeper on Enterprise infrastructure management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.