Insider threats plague data managers

Financial services organizations struggle with human error, abuse of privileges more than most.

Application Security, Unisphere Research, and the International Sybase Users Group (ISUG), unveiled the findings of a study that polled 216 ISUG members. The findings reveal that the greatest challenges or risks to database security are thought to come from insiders, via human error or abused privileges, as opposed to external hacker activity.

Significant to the study was the representation from financial services organizations, which accounted for nearly 25% of the total respondents in this survey.

According to the report, 56% of the non-financial services respondents feel that human error represents the greatest challenge or risk to database security while 24% state that abuse of privileges are the greatest threat.

Showing the heightened awareness of the insider threat in the financial services marketplace specifically, 77% are mostly concerned with human error and nearly half (48%) are kept awake at night at the thought of insider privilege misuse.

Among the respondents aware of a data breach that occurred over the past months, two-thirds (66%) indicate that it was a result of either human error or an insider attack.

Other alarming findings suggest that most organizations are still not leveraging automated technology to handle complex database security activities, which can lead to significant wasted time and a far greater chance of human error caused by the tedious task of managing manual processes.

The database activities consuming the most time (with more than 25% of user time dedicated to the activity) according to the report are; database configuration and patch management (28%), database audit and threat management/database activity monitoring (18%), database user rights management (17%), database asset management (14%), database vulnerability management (13%) and database policy management (11%).

Not surprisingly, the Sybase user community feels that there is a wide disconnect between the individuals charged with ensuring database security and their corporate management. While database professionals and managers are expected to oversee information security, many are not aware of the levels of corporate commitment.

What did come as a bit of a surprise is that the vast majority of respondents (73%) feel that most or all confidential data is adequately protected and more than half (56%) believe that it is unlikely that they will face a data breach – internal or external – within the next 12 months. Just 2% cite that the likelihood of an internal or external breach in the next year is “inevitable”.

“When you look at the survey results as a whole, some of the data just doesn’t add up,” said Joe McKendrick, Lead Analyst, Unisphere Research. “On one hand, users feel that they are doing an effective job in providing data security for their organizations, yet the data from some of the more pointed questions yield answers that are in direct conflict with that notion. This false sense of security could very well prove to be the most significant finding across this user group survey.”

The six-part, 39 question survey explored and revealed information about the current state of database security across organizations with Sybase databases in production, active management of data security, data exposure, compliance and auditing, data environments and company demographics.

The complete report is available here (registration required).