Most small and mid-sized businesses that build and administer databases focus on performance and availability. Security is usually an afterthought. Until you read the headlines about the well-publicized data breaches.
March 1, 2008: a laptop containing unsecured confidential data is stolen from an employee's car, endangering the privacy and financial well-being of thousands of people -- and a company's reputation.
Feel like you've read this before?
Once only the stuff of nightmares, this unfortunate scenario has become almost commonplace. In this latest instance, the laptop belonged to an employee of San Jose, Calif.-based Stock & Option Solutions (SOS), a stock-plan manager and subcontractor to Agilent Technologies Inc., of Santa Clara, Calif., a life-sciences and measurement firm. The laptop contained a database listing the names, addresses, and Social Security numbers of 51,000 Agilent employees, retirees, and stakeholders, as well as information about their stock holdings. Despite a strict Agilent database-encryption policy, which covered SOS as well, the laptop version was unencrypted, confirms Agilent spokeswoman Amy Flores. 'They blew it,' she says simply.
Cautionary tale about databases
This latest case should serve as yet another cautionary tale. Data such as Social Security or credit card numbers are not only crucial to a business, they are worth their weight in gold to those in the identity theft racket. Moreover, compliance with regulatory mandates, such as Sarbanes-Oxley requirements, requires companies, and their contractors, to keep an airtight lock on relevant data if they want to win and maintain lucrative business deals.
And yet, database administrators (DBAs) probably only spend 7 percent of their time tending to database security, estimates Noel Yuhanna, principal analyst for database security at Cambridge, Mass.-based Forrester Research. If anything, DBAs spend more time trying to increase internal access to a company's database, so that it can be used optimally by the accounting or sales staff. And for small businesses, where the DBA could have countless other duties, too, the problem might be greater.
Sometimes insiders at fault
Which brings us to another tough statistic -- a January 2007 Forrester Research report estimated that 70 percent of all database breaches involve insiders. Even those employees who administer the database need to be viewed as potential risks to its safety.
Awareness of the scope of this problem is growing, however. A separate Forrester study found in October 2007 that enterprise spending on database security and auditing is likely to double by 2010 to nearly $900 million annually.
What should a small or mid-sized business do to protect its database? Here are some tips from the experts:
To be sure, protecting your company's database is a challenging, time-consuming task. And, as Agilent's Flores warns, the proverbial chain is only as strong as its weakest link. But nonetheless, making your best effort could help inoculate your company from all kinds of unforeseen dangers.