The report was based on a survey of database administrators and other IT managers at more than 300 companies, about one-third of which were businesses with more than 10,000 employees. One in four of the respondents said that they believe their company databases were locked down adequately against malicious attack, while 20% said they expected their databases to be breached in the coming year.
Most of the organisations said their greatest threat came from insiders, who either had legitimate access to databases or had managed to get access illegally. However, many of the same organisations admitted that they didn't have controls in place for preventing this sort of access by insiders. Other security issues that were cited by the respondents included the rampant use of production data by software development teams and the continued lack of encryption of sensitive data stored in databases.
The findings weren't entirely unexpected, said Ian Abramson, president of the IOUG. Though there appears to be a growing awareness of security problems, companies often face a variety of challenges when it comes to addressing them, he said. In addition to such potential issues as downtime and costs, there is also the question of who will lead the initiative to address security vulnerabilities in the database environment. While DBAs have a role by themselves, they are unlikely to have the clout needed to effect major security changes, he said.
Abramson also stressed the need for companies to implement auditing and alerting measures to ensure that insider access to databases is monitored and logged. If those with inside access to databases know their activity is being watched, there will be less of a tendency to abuse that access, he said. Many of the features needed to do this sort of auditing are already available in the database or from third parties, he said. "To me, this is what people really have to be focusing on," he said.