Knowing what you should be doing and actually doing it are two very different things. Like encrypting sensitive data in your databases: according to 430 polled Oracle database admins, fewer than 30% encrypt personally identifiable information (PII) in all of their databases!
75% acknowledge their organizations do not have a means to prevent privileged database users from reading or tampering with human resources, financial or other business application data in their databases.[networkworld.com]
Dang. Other stats:
66% can’t tell whether other admins are abusing their privileges (I guess they don’t have the required tools?)
64% don’t monitor database activity (why would they? Per the first bullet, it sounds more like “can’t” not “don’t”)
60% don’t offshore administration functions (harrumph. Crappy data security practices stink no matter what flag you’re waving)
63% apply patches after three months (better late than never?)
You know, perhaps it’s not that bad out there. Maybe the guys who have data security in mind are busy securing data, so only the guys who’re not doing all of their duties found the time to fill out the survey.
On the other hand, 430 people polled is a lot of people.
Data on Servers Get Stolen. Sometimes, Servers Get Stolen, Too
It’s hard to fathom these “data insecurity practices” that these IT security professionals are engaging in. For example, not securing PII with encryption at all means that they’re bound to fall into the hands of data predators at some point. Could it be that many have decided to use the ultimate protection when it comes to on-line data security? Namely, not having the server connected to the internet?
If so, I can almost (almost!) see why encryption is not being used. On the other hand, supposedly internal attacks account for over 10% of data breaches at the average company, so not having PII encrypted, and not having the ability to audit records is just asking for trouble.
Plus, let’s not forget those instances where someone just somehow manages to get into a data room and managed to filch a server. Or cut the walls to the datacenter with a power saw.
Related Articles and Sites: