Why Is Database Security Not A Priority?
Posted by Randy Gainer
The daily reports of data regarding individuals being lost or stolen typically emphasize the costs businesses and government agencies will incur to respond to the incidents. TJX, for example, reportedly incurred $20 million in costs during the first three months of 2007 related to the theft of payment card data from its stores in 2005 and 2006. Given the large number of reported incidents of personal data being lost and stolen, it is surprising that organizations that collect and store large amounts of sensitive information do not take adequate precautions to secure it.
A new survey reveals that, although Information Technology security spending will increase in 2007 over 2006, a majority of the IT professional questioned did not think their organizations had taken adequate steps to secure their databases. Larry Ponemon, Database Security, Vol 6. No. 24 Priv. & Sec. L. Rep. (BNA) 937-46 (June 11, 2007). Although a majority of the IT specialists described the databases as “critical,” Id. at 939, a majority believed that sensitive data were vulnerable, especially to insider threats. Id. at 940. Dr. Ponemon concludes “Even in the face of frequent, expensive, and highly publicized breaches, respondents have not made protecting customer and employee data a high priority.” Id. at 941.
It appears that many of those responsible for IT budgeting hope they can dodge the bullet: implementing good IT security will definitely cost money; if their databases are not among those from which data are lost or stolen, they will avoid the massive costs to respond to a data breach. Unless that calculation can somehow be changed, the daily reports of data thefts and losses will continue.