subject: Why does my data security fail? [print this page] Why does my data security fail? Why does my data security fail?
IMSM are specialists in ISO certification and this article draws on the expertise we use to certify clients to ISO/IEC 27001:2005.
Data is the raw form of information stored as columns and rows in our databases, network servers and personal computers. This may be a wide range of information from personal files and intellectual property to market analytics. Data could be anything of interest that can be read or otherwise interpreted in human form. Some of this information isn't intended to leave the system. The unauthorised access of this data could lead to numerous problems for the larger corporation as well as the personal home user.
Safeguarding your data can protect your ability to do business, and also your reputation. There are a number of elements you should consider when handling, storing and disposing of customer data and your systems and controls should be appropriate to minimise the risk of data loss or theft. If the data on these computer systems is damaged, lost, or stolen, it can lead to disaster.
Key threats to data security
Data may get:
lost or damaged during a system crash especially one affecting the hard disk
corrupted as a result of faulty disks, disk drives, or power failures
lost by accidentally deleting or overwriting files
lost or become corrupted by computer viruses
hacked into by unauthorised users and deleted or altered
destroyed by natural disasters, acts of terrorism, or war
deleted or altered by employees wishing to make money or take revenge on their employer
The top 5 reasons why data security policies fail
Many organisations today are still running database security by the seats of their pants. The vast majority of organizations do not monitor their databases at all, or do so in an ad hoc fashion. Even more troubling, most enterprises don't even know where their sensitive data resides.
Below are the top 5 reasons according to the Independent Oracle Users Group's (IOUG) of why security breaches take place.
1. Organizations still don't know where sensitive data resides
Before a business can protect its sensitive data, it has to know where it is. Unfortunately, in today's fast-paced IT environments many administrators are finding it difficult to track sensitive information across numerous databases.
2. Security monitoring remains spotty
With so many databases to track, organisations must be systematic about how they monitor activity on these data stores if they want to get a true picture of who is accessing what information. Yet only one in four organizations have automated tools to monitor database activity on a regular basis, a statistic that has remained largely unchanged since IOUG began surveying database administrators back in 2008.
3. Privileged users run unchecked
One of the IOUG survey respondents said, "Our greatest risk is probably that of a rogue employee running amok. We'd know about it soon enough, but it might be too late to avoid serious damage." This is a common opinion among many administrators; approximately 22 percent of respondents listed internal hackers as their biggest database security risk, and another 12 percent said abuse of privileges was their highest threat.
4. Database patches are deployed slowly
Many of today's nastiest breaches are by hackers who take advantage of database and Web application vulnerabilities to break into sensitive data stores. Businesses could do a lot to take the edge off the risks from these attacks by keeping their databases patched and configured securely, but they are not taking advantage of this opportunity to mitigate the threat.
5. Encryption practices lag
Very few companies encrypt within all of their databases, while some do not encrypt or are unsure of whether they do. When databases are sent off site is when many organisations fail, with many businesses not encrypting the data before it goes off site.
