Organizations Suffering from Failed Database Audits and a Lack of Clear Controls for Database Protection; Study Reveals Misplaced Spending Priorities for Data Security
NEW YORK – December 08, 2009 – Application Security, Inc., the leading provider of database security, risk and compliance solutions, today announced the results of its 2009 "Database Security and Compliance Risks" survey with Enterprise Strategy Group. The study profiled 175 enterprise organizations, and the statistics revealed that enterprise organizations have reached a crisis state in database protection.
This study reveals that 60% of organizations don't feel their existing database controls adequately protect their organization's confidential data. In addition, the data reports that nearly 70% of organizations do not feel that their existing database controls are well-defined, indicating that over two-thirds of organizations lack an adequate plan and approach to protect confidential data.
The survey reveals that despite the fact that over two-thirds of organizations are spending moderate to significant amounts of time writing custom scripts, remediating compliance issues, and engaging in associated tasks, 38% of organizations still failed database security audits. The study further reveals the troubling statistic that less than 4% of IT budgets are spent protecting the data where it lives – in the database.
"We're at war with the cyber criminals and clearly we are not winning," said John Ottman, president and CEO, Application Security, Inc. "2009 saw a sevenfold increase in records breached, and our research is an acknowledgement by enterprise IT security executives that we are in the midst of a crisis."
"This year's data reflects increased risk to the enterprise database, and a clear lack of understanding of what it takes to protect confidential information," said Jon Oltsik, senior analyst, Enterprise Strategy Group. "Organizations must establish clear controls for database protection and consider re-prioritizing security budgets."
Additional key findings:
- Only 37% of organizations feel they meet compliance standards relative to protecting their company's information.
- Respondents cited that failed audits are largely based on a lack of an effective access control policy, reporting/audit process issues and multiple technology issues.
- Internal audits and Sarbanes-Oxley audits top the list of the types of security audits organizations are failing in 2009. The 2008 survey demonstrated that respondents reported higher failures rates for PCI, HIPAA, GLBA and FISMA audits.
- Over half of enterprises surveyed cite budget constraints as an issue impacting ability to protect their database systems – an indication that the economy is still playing a role in this growing problem.
- The two leading root causes of data breaches cited were human error (53%) and external attacks (34%).
Survey webinar and report information
Application Security, Inc. will be hosting a webinar to discuss the research findings. Jon Oltsik, senior security analyst with Enterprise Strategy Group, and Thom VanHorn, vice president, global marketing, Application Security, Inc. will be the presenters.
Title: Enterprise Database Security Controls: Unmasking Today's False Sense of Security and Compliance
Date: Tuesday, December 8, 2009
Time: 2:00 PM - 3:00 PM EST
To download a copy of the comprehensive "Database Security and Compliance Risks" report executive summary and Application Security, Inc. Solutions Brief, please visit www.appsecinc.com.
About Application Security, Inc.
Application Security, Inc. is the leading provider of agentless database security, risk and compliance (SRC) solutions for the enterprise. Application Security, Inc.'s agentless approach - AppDetectivePro for auditors and IT advisors, and DbProtect for the enterprise - delivers the industry's most scalable database SRC solution and is in use around the world in the most demanding environments by over 2,000 customers. The company was named to Inc. Magazine's 2007 (Inc. 500) and 2008 list of America's Fastest Growing Private Companies, and was also named to the 2008 Deloitte Technology Fast 50 by Deloitte & Touche.
For more information, please visit www.appsecinc.com.
DbProtect is a trademark of Application Security, Inc. All other product names, service marks, and trademarks mentioned herein are trademarks of their respective owners.
Application Security, Inc.