Chicago — While all data managers strive for complete security, most would acknowledge that it doesn’t exist. Application Security Inc., a provider of database security, risk and compliance (SRC) solutions for the enterprise, recently announced the findings of its "Database Security Controls" survey, done in conjunction with analyst firm Enterprise Strategy Group (ESG). The survey is based on 179 in-person and phone surveys with global IT decision-makers—including members of the insurance industry—located in North America.

While 58% of respondents reveal that the largest percentage of confidential data is located in their database, 54% note that a lack of internal processes and controls hinder the effectiveness of their database security efforts. The finding that more than half of the respondents suffered a confidential data breach within the past 12 months exposes a key indicator that enterprise organizations experience major gaps in protecting sensitive data.

Jon Oltsik, an ESG analyst who led the research project, indicates that databases house a higher percentage of confidential data than any other type of data repository. As such, he says, the first step insurers can take to better protect themselves is by securing databases.

“To do this,” Oltsik tells INN, “businesses must locate all databases, which often can be more challenging than one would think. They should conduct a database audit to determine what databases are housing sensitive information and protect them accordingly. After reviewing the audit results, organizations should define security policies and best practices, and hold everyone accountable for meeting those objectives. An enterprise approach to managing database security proves to be most effective, as it creates uniform controls and tools.”

Respondents presented a laundry list of database security risks for the coming year, with the top five answers being notably closely ranked in perceived threat to their organization. The five types of risks selected most were:

  • An insider attack by someone with "root" access to the database or database server (55%)
  • A database containing confidential data of which IT/security is not aware (53%)
  • A logical attack on a Web-facing application connected to a database (54%)
  • A mis-configured database (53%)
  • A vulnerable database that has not been patched (51%)

According to Oltsik, survey respondents indicated that database security is a top priority in 2009, and will invest in skills, services and technology safeguards to enhance current security controls. They also plan to buy more specific database security tools rather than additional generic ones.
Additionally, respondents went on to say they expect threats against sensitive information to continue to rise. Seventy-three percent predict database attacks will continue to increase. Improving database security is crucial because nearly half (43%) of all enterprise databases contain critical data that can include customer credit card numbers and other personal information, according to Application Security.

“The research indicates that enterprise data security, risk and compliance is an enormous challenge, and the high percentage of reported data breaches and failed compliance audits reveal a vital need for improved control processes,” says John Ottman, CEO of Application Security Inc. “With 76% of respondents placing purchasing priority on database security for 2009, organizations appear to be taking action. However, despite the severity of the problem nearly 55% of organizations report challenges and note a lack of progress to protect confidential information.”

Another key finding of the survey is that 84% of respondents are maintaining a false sense of security, feeling that their organizations’ data secur ty controls for sensitive information were adequate. But follow-up security questions make it clear that there is a disconnect between the initial responses and realities of preventing hacks and supporting compliance mandates.

Oltsik explains that the study indicates that database security typically isn't the responsibility of just one department or group, but often the collective effort of security administrators, data center managers, network administrators and system administrators.

“Perhaps because no one was personally responsible for ensuring database security, the group as a whole felt that they had addressed the problems effectively,” he says. “Security professionals rarely want to admit to a problem, so it is no surprise to get this type of disconnect in a research survey. But based upon user responses about data breaches, impending threats and database vulnerabilities, it is safe to conclude that database security is a growing problem.”

Sources: Application Security Inc., Enterprise Strategy Group

Exclusive content only available on

Register or login for access to this item and much more

All Digital Insurance content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access