SURVEY REPORT SPON. Identifying Critical Gaps in Database Security. Published April 2016. An Osterman Research Survey Report.

Similar documents
SURVEY REPORT SPON. Security Awareness Training Effectiveness Report. Results of a Survey of KnowBe4 Customers and Non-Customers. Published July 2013

EXECUTIVE BRIEF PON SPON. The Cloud Application Explosion. Published April An Osterman Research Executive Brief. sponsored by.

WHITE PAPER SPON. Do Ex-Employees Still Have Access to Your Corporate Data? Published August 2014 SPONSORED BY. An Osterman Research White Paper

The Growing Problem of Outbound Spam

SURVEY REPORT SPON. Small and Medium Business: IT/Security Priorities and Preferences. Published September An Osterman Research Survey Report

Cloud-Client Enterprise Security Impact Report Increased Protection at a Lower Cost

SURVEY REPORT PON SPON. Results of a Survey Conducted for Electric Cloud. Published January An Osterman Research Survey Report.

WHITE PAPER SPON. Achieving Rapid Payback With Mobile Device Management. Published November An Osterman Research White Paper.

EXECUTIVE BRIEF SPON. File Synchronization and Sharing Market Forecast, Published May An Osterman Research Executive Brief

Total Cost of Ownership - SharePoint Security

WHITE PAPER SPON. Information Security Best Practices: Why Classification is Key. Published November 2011 SPONSORED BY

EXECUTIVE BRIEF SPON. Third-Party Archiving Solutions Are Still Needed in Exchange 2013 Environments. Published April 2015

WHITE PAPER SPON. Dealing with Data Breaches and Data Loss Prevention. Published March An Osterman Research White Paper.

WHITE PAPER SPON. Archive Migration: Opportunities and Risks. Published February An Osterman Research White Paper.

WHITE PAPER SPON. The Benefits of Vendor Consolidation and Centralized IT Management. Published June 2014 SPONSORED BY

Using SaaS to Reduce the Costs of Security

Current and Archiving Practices in the Enterprise an Osterman Research research summary

Microsoft Lync Server 2010 and the Unified Communications Market Key Considerations for Adoption, Deployment and Ongoing Management

The Cost Effective Migration to Integrated Hybrid SaaS Security

Skybox Security Survey: Next-Generation Firewall Management

Solving.PST Management Problems in Microsoft Exchange Environments

Solving Key Management Problems in Lotus Notes/Domino Environments

Should You Install Messaging Security Software on Your Exchange Server?

WHITE PAPER. Using DNS RPZ to Protect Against Web Threats SPON. Published June 2015 SPONSORED BY. An Osterman Research White Paper.

WHITE PAPER SPON. Making File Transfer Easier, Compliant and More Secure. Published February 2012 SPONSORED BY!!! An Osterman Research White Paper

How To Calculate Total Cost Of Ownership (Tco) For Systems

WHITE PAPER SPON. A Cloud-Client Architecture Provides Increased Security at Lower Cost. Published January 2012 SPONSORED BY

The 5 Best Practices For Archiving

Privilege Gone Wild: The State of Privileged Account Management in 2015

Solving the Security Puzzle

Why You Need to Consider Virtualization

EXECUTIVE BRIEF SPON. Third-Party Archiving Solutions Are Still Needed in Exchange 2010 Environments. Published March 2012

Realizing the Cost Savings and Other Benefits from SaaS Archiving

WHITE PAPER SPON. Making File Transfer Easier, Compliant and More Secure. Published February 2012 SPONSORED BY!!! An Osterman Research White Paper

WHITE PAPER SPON. Considerations for Archiving in Exchange Environments. Published July 2013 SPONSORED BY. An Osterman Research White Paper

Protect Your Connected Business Systems by Identifying and Analyzing Threats

WHITE PAPER SPON. What is the Total Value of Ownership for a Hosted PBX? Published September An Osterman Research White Paper.

Leveraging Privileged Identity Governance to Improve Security Posture

Why You Need to Focus on Social Networking in Your Company

Privilege Gone Wild: The State of Privileged Account Management in 2015

WHITE PAPER SPON. Business-Class File Sharing Best Practices SPONSORED BY. An Osterman Research White Paper. sponsored by.

Managing the Unpredictable Human Element of Cybersecurity

10 Steps to Establishing an Effective Retention Policy

WHITE PAPER. Taking a Strategic Approach to Unified Communications: Best of Breed vs. Single Vendor Solutions SPON. Published February 2013

For more information on SQL injection, please refer to the Visa Data Security Alert, SQL Injection Attacks, available at

How Do Threat Actors Move Deeper Into Your Network?

Cyber security Building confidence in your digital future

WHITE PAPER SPON. Pain Free Unified Communications and Collaboration. Published May 2011 SPONSORED BY. An Osterman Research White Paper.

A Comparative Analysis of Leading Anti-Spam Solutions

Cyber threat intelligence and the lessons from law enforcement. kpmg.com/cybersecurity

WHITE PAPER SPON. The Cost and ROI Advantages of IronKey Workspace W300 for Windows to Go. Published May 2013 SPONSORED BY

WHITE PAPER SPON. Managing Content in Enterprise Social Networks. Published August 2014 SPONSORED BY. An Osterman Research White Paper.

WHITE PAPER SPON. The Cloud Advantage: Increased Security and Lower Costs for SMBs. Published August 2012 SPONSORED BY

WHITE PAPER SPON. Encryption is an Essential Best Practice. Published August 2014 SPONSORED BY. An Osterman Research White Paper.

The Benefits of Unified Communications

WHITE PAPER SPON. The Need for Improved Software Quality. Published January 2015 SPONSORED BY. An Osterman Research White Paper.

Stay ahead of insiderthreats with predictive,intelligent security

43% Figure 1: Targeted Attack Campaign Diagram

Top 10 Webinar Best Practices

How Boards of Directors Really Feel About Cyber Security Reports. Based on an Osterman Research survey

Fostering Incident Response and Digital Forensics Research

High Level Cyber Security Assessment 2/1/2012. Assessor: J. Doe

Is your business at risk? DO YOU NEED TO KNOW?

Enterprise Archiving: Market Problems, Needs and Trends

HP ArcSight User Behavior Analytics

Exposing the Cybersecurity Cracks: A Global Perspective

PCI DSS Overview and Solutions. Anwar McEntee

Managing IT Security with Penetration Testing

defending against advanced persistent threats: strategies for a new era of attacks agility made possible

DISCLAIMER AND NOTICES

As threat actors target various types of networks, companies with improperly configured network infrastructures risk the following repercussions:

WHITE PAPER PON SPON. Comparing the Cost of Alt-N MDaemon and Exchange. Published July 2013 SPONSORED BY. An Osterman Research White Paper

The Cost Benefits of a Hybrid Approach to Security

FIVE KEY CONSIDERATIONS FOR ENABLING PRIVACY IN HEALTH INFORMATION EXCHANGES

Beyond the Hype: Advanced Persistent Threats

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

Experience the commitment WHITE PAPER. Information Security Continuous Monitoring. Charting the Right Course. cgi.com 2014 CGI GROUP INC.

Achieving Greater TCO Benefits Using a Secure Workspace Solution: Comparing TCO for Three Telework Approaches

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

CYBER SECURITY, A GROWING CIO PRIORITY

Access is power. Access management may be an untapped element in a hospital s cybersecurity plan. January kpmg.com

Cloud Security Primer MALICIOUS NETWORK COMMUNICATIONS: WHAT ARE YOU OVERLOOKING?

PACB One-Day Cybersecurity Workshop

Internal audit of cybersecurity. Presentation to the Atlanta IIA Chapter January 2015

Osterman Research Executive Summary

Cyber Governance Preparing for the Inevitable Perimeter Breach

FREQUENTLY ASKED QUESTIONS

Information Security Incident Management Guidelines

Best Practices in ICS Security for Device Manufacturers. A Wurldtech White Paper

New York State Department of Financial Services. Report on Cyber Security in the Insurance Sector

WHITE PAPER SPON. Addressing Information Governance Challenges. Published March 2014 SPONSORED BY. An Osterman Research White Paper.

WHITE PAPER SPON. The Need for IT to Get in Front of the BYOD Problem. Published October 2012 SPONSORED BY. An Osterman Research White Paper

Three significant risks of FTP use and how to overcome them

ICTN Enterprise Database Security Issues and Solutions

Protecting against cyber threats and security breaches

Cybersecurity and internal audit. August 15, 2014

Security Intelligence

FFIEC Cybersecurity Assessment Tool

Application Security in the Software Development Lifecycle

Active Directory was compromised, now what?

Transcription:

SURVEY REPORT Gaps in Database An Osterman Research Survey Report sponsored by Published April 2016 SPON sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058 USA Tel: +1 206 683 5683 Tel: +1 206 905 1010 info@ostermanresearch.com www.ostermanresearch.com twitter.com/mosterman

EXECUTIVE SUMMARY Osterman Research conducted a survey with members of its survey panel to determine how well positioned organizations are to address issues surrounding database security, their ability to prevent data breaches, and their preparedness to address the security of critical data assets and databases, among other issues. The survey was conducted during February and March 2016 with 209 members of the Osterman Research survey panel responding and identifying as a qualified respondent. In order to qualify for the survey, respondents were required to confirm general knowledge about databases and database security practices in their organization, and their organization had to have at least 300 employees. The mean number of employees at the organizations surveyed was 22,142. The research for this report was underwritten by DB Networks. KEY TAKEAWAYS Here are the key takeaways from the research conducted for this report: Only 19% of organizations currently have what they consider to be excellent visibility into their data and database assets. Many organizations have limited insight into the existence of all databases in the company. Because unknown and unmanaged databases may contain sensitive information and compromises of them may render peer databases susceptible to attack, this lack of visibility makes organizations significantly more vulnerable to data breaches. Forty-seven percent of those surveyed have not assigned an individual and/or a team to oversee database security. The ramifications of this are significant. Unmanaged and unpatched database systems pose a large attack surface that can be exploited by cyber criminals. In the context of data breaches, respondents are most concerned about the threat of compromised credentials as the primary cause of a data breach. Many high profile database breaches have resulted from the abuse of legitimate logon credentials. Once an attacker has obtained the proper credentials, they can pose as a privileged insider and breach databases. At that point they can potentially access sensitive assets and set up a channel to exfiltrate an entire data set to an off-site server. Only 62% of the organizations surveyed have the mechanisms and controls in place that would allow them to continuously monitor their organization s databases in real time. This lack of continuous monitoring can make infiltration by cyber criminals easier and more effective because of the excessive dwell time that the average intruder enjoys. Our research revealed that a data breach caused by the use of compromised or abused credentials could not be immediately discovered. This is a critical problem given that the Mean Time to Identify (MTTI or dwell time) a breach can be measured in months, not hours or days. This gives intruders the opportunity to spend significant amounts of time exploring the types and locations of an organization s data assets, identifying the high value targets for exfiltration, and stealing them in ways that are less likely to be detected. SURVEY FINDINGS VISIBILITY INTO DATA ASSETS Our research found that 81% of organizations currently do not have what they consider to be excellent visibility into their data and database assets, as shown in Figure 1. However, the vast 2016 Osterman Research, Inc. 1

majority more than three in five believes that their organization has good visibility into these assets, while nearly one in five has only limited or little/no visibility. Figure 1 Level of Visibility Into Data and Database Assets 2016 Osterman Research, Inc. 2

LACK OF SPECIFIC RESPONSIBILITY FOR DATABASE SECURITY As shown in Figure 2, (47%) of organizations do not have an individual and/or a team that is directly responsible for database security (a small number of survey respondents were not sure if their organization had such an individual or team). This demonstrates that many organizations are not treating data and database security as importantly as they should be. Figure 2 Is there an individual and/or team directly responsible for database security in your organization? (Among survey respondents who could answer the question definitively) We wanted to determine if there were significant differences among the organization sizes that had versus had not assigned specific responsibility for database security to an individual and/or a team. We discovered that 30% of organizations with 1,000 or more employees had not assigned database security to an individual or team, rendering them significantly more vulnerable to threat infiltration and data breaches. 2016 Osterman Research, Inc. 3

SIGNIFICANT CONCERN OVER DATA BREACHES As shown in Figure 3, when asked what database security issues concern you, compromised credentials was the top concern. Of nearly as much concern was the potential for the organization to experience a major data breach, as well as the inability to identify data breaches before they have occurred. Figure 3 Concerns About Key Data-Related Issues Percent Responding Concerned or Very Concerned 2016 Osterman Research, Inc. 4

MANY DO NOT HAVE DATA BREACH DETECTION TOOLS IN PLACE One of the more serious and troubling issues we uncovered in our research is shown in Figure 4: 39% of organizations surveyed lack the necessary tools to allow them to identify a database breach resulting from compromised or abused credentials. Figure 4 Does your organization have the tools to become aware of a database breach if it would happen using legitimate, but compromised/abused credentials? 2016 Osterman Research, Inc. 5

RELATIVELY LOW CERTAINTY ABOUT KEY DATABASE ISSUES Respondents were asked to rate their degree of certainty about a variety of key issues related to their database assets. As shown in Figure 5, 59% of survey respondents lack a high degree of certainty about which applications, users and clients are access their databases. Figure 5 Certainty About Key Database Issues 2016 Osterman Research, Inc. 6

MANY ORGANIZATIONS CANNOT READILY DETECT DATA BREACHES Our research also revealed that a data breach resulting from compromised or abused credentials could not be discovered quickly. As shown in Figure 6, while 21% of survey respondents indicated that they could discover such a data breach almost immediately, most could not. Figure 6 Speed With Which a Data Breach Using Compromised/Abused Credentials Would be Discovered 2016 Osterman Research, Inc. 7

MANY DO NOT HAVE REAL-TIME DATABASE SECURITY MONITORING As shown in Figure 7, 38% of the organizations surveyed do not have the mechanisms and controls in place that would allow them to continuously monitor their organizations databases in real time. Figure 7 Does your organization have mechanisms and satisfactory controls to continuously monitor your organization s databases in real time? 2016 Osterman Research, Inc. 8

GROWING EMPHASIS ON DATABASE SECURITY is becoming increasingly important over time. As shown in Figure 8, perimeter security receives a significant or a great deal of emphasis by 70% of the organizations surveyed, and this will increase to 77% over the next 12 months. However, while database security receives somewhat less emphasis than perimeter security today, the proportion of organizations giving it a significant or a great deal of emphasis will increase at a much faster pace over the next 12 months. The emphasis paid to database security is closing the gap versus the emphasis paid to perimeter security. Figure 8 Emphasis Placed on Perimeter and Database, 2016 and 2017 Percent Responding Significant Emphasis or a Great Deal of Emphasis 2016 Osterman Research, Inc. 9

FREQUENCY OF DATABASE ACTIVITY ASSESSMENTS Our research revealed that only 20% of organizations surveyed conduct database activity assessments on a more or less continuous basis, as shown in Figure 9. In fact, slightly more than one-half of respondents conduct these assessments very infrequently only once per quarter or less often; 6% of organizations never conduct these assessments. Figure 9 Frequency of Database Activity Assessments 2016 Osterman Research, Inc. 10

DATA BREACHES WOULD CAUSE SERIOUS PROBLEMS Fifty-eight percent of those surveyed believe that the breach of data from a critical corporate database would cause serious or catastrophic problems for their organizations, as shown in Figure 10. Only one in 25 survey respondents believe that the impact of data breach from a critical database would cause only minimal problems, while another 38% believe the issue would cause problems that the organization could manage. Figure 10 Perceived Damage from the Breach of a Critical Database OBSERVATIONS ABOUT THE DATA Osterman Research offers a few high-level observations about the data presented in this survey report: Successful organizations run on, and are dependent on, the creation and consumption of information. But information is valuable to an organization only if decision makers and others that need it know where it is, what s in it, what is shareable and by whom it is shareable in other words, the need is for managed information, and information that is protected from data breaches and other potential infiltrations as a result of hacking, malware and insider theft. Most organizations are struggling with the problem of too much electronic data how much of it there is, what it contains, who has access to it, where it is currently stored, and how long it should be kept. In other words, how to govern it more effectively. The sheer volume of information, combined with the speed of its accumulation and the lack of effective management is at the root of the problem. This surplus of electronically stored information is, in reality, driving up the cost of storage, raising the cost and risk of ediscovery and regulatory compliance, negatively impacting employee productivity, and raising the prospect of intellectual property theft and breaches of sensitive and confidential corporate data. 2016 Osterman Research, Inc. 11

To get a better handle on this data management problem, organizations should take a long, hard look at the main problem: a lack of any effective enterprise-wide information governance. After recognizing the importance of this issue, organizations can then take action, such as creating an enterprise-wide information strategy, developing use policies and an information retention schedule, and adopting information management automation. These will enable the organization to systematically find, categorize, manage and defensibly dispose of data stored in its databases in a timely, cost-effective manner. Organizations need to conduct a thorough audit to understand where all of their data is located, who has access to this data, the specific legal and regulatory obligations to which this data is subject, the identity of the data stakeholders, and other relevant information. This is essential in order to build a map of sorts that will help decision makers understand the security risks they face and how to prioritize their resources in closing the security gaps that exist. Organizations must monitor the risk levels associated with their data assets, corporate systems and other tools that users may employ in response to regulatory requirements, advice from legal counsel, recent data breaches, cybercriminal activity and other factors. For example, a database might contain non-sensitive data that can safely be accessed using only a username and password. However, a change in an organization s offerings or a new industry regulation may mean that sensitive data will be added to the database, thereby increasing the risk of inappropriate access of that content store. If organizations cannot identify a successful security compromise, decision makers may never know that a particular event took place until it s too late. As a result, while decision makers have correctly acknowledged the security compromises of which they are aware, those about which they are not aware pose a more significant problem. It is likely that the actual rate of successful infiltrations or other leakage events is much higher than discussed in this report because of poor organizational systems for tracking successful threats. 2016 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the reader s compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws )) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL. 2016 Osterman Research, Inc. 12

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information