Most companies are far too optimistic regarding security

According to a study released this morning, troubled times and sloppy security may prove a mighty temptation for hackers or even disgruntled employees -- and companies' overly high opinions of their own security don't help.

The Enterprise Strategy Group, which conducted the Database Security Controls study in conjunction with Application Security Inc., spoke in October to 179 IT decision-makers working in enterprise-class organizations (meaning those with 1,000 employees or more). The 27-item questionnaire inquired about security budgets, breaches, controls and audits.

It's not pretty. Tom Bain, director of marketing and communication for Application Security, notes that 84% of the companies surveyed said that all or most of their confidential data is protected...and 56% percent said they'd suffered at least one breach in the previous 12 months. Another 5% said they weren't sure or didn't know.

The picture's even more gruesome when you ask about failure to comply with standards such as PCI-DSS and Sarbanes-Oxley. Some 38% of the companies queries said they'd failed at least one audit in the previous twelve months, with 11% more unsure or not talking. 18% of those queried had failed a PCI audit; 11% missed SOX compliance; 16% fell down on HIPAA, GLBA or FISMA, and 21% managed to biff general security/IT internal checks.

"These companies aren't even taking non-optional measures seriously," said Bain, "let alone protecting sensitive data."

And yes, there's sensitive data at risk. Some 96% of companies polled say they store a moderate to large amount of customer data in databases; 90% store significant portions of intellectual property; 97% say they've got a significant amount of business confidential info in databases, and 93% say they keep significant portions of employee data in databases. Those databases are protected mainly by encryption (58%), discovery tools (40%), or, frankly, a shrug. Interestingly 18% of those surveyed weren't entirely confident their organizations even know which databases hold confidential info.

So what's with the high corporate self-esteem? Well, senior management's still smiling; those surveyed said that 81% of their leadership was confident or extremely confident in the company's current database security controls. (The respondents themselves were 79% confident or extremely confident.)

Maybe the smiles are just gritted teeth. Responsibilities for database security are generally split among various constituencies -- database admins (42%), sysadmins (57%), application administrators (40%), network admins (49%), data center managers (58%), the operations group (60%), and security administrators (66%).

Readers familiar with IT's various tribes will immediately see the potential for conflict.

"Ownership, or lack of ownership, is a problem," says Bain, pointing out that work-culture conflicts between admins, IT management, and security guys -- "security guys always say no!" -- can lead to a lack of management finesse, which over half the companies surveyed indicated was a problem to at least some degree.

That's going to be a problem, because as staffs shrink, the economy gets weirder, and more data sifts into database management systems, the databases become a very, very tasty target for ne'er-do-wells. Bain cites disgruntled former employees, hungry hackers, and the likelihood of corporate acquisitions as three potential pain points for database security.

Acquisitions? Yes. "When one company absorbs another," says Bain, "we think about the jobs. But one of the more intricate issues is migrating the IT infrastructure." Security, compliance and procurement all play a part in the process, and it's all too easy for a canny hacker to identify a potential weakness early in the process and bide his time until rising mayhem can cover his tracks.

All these factors combine, ESG believes, to augur a definite increase in breaches in 2009; 73% of respondents agreed. And the key to fighting back is, alas, to get senior management out of that complacent mindset.

"Budget is absolutely an issue, and will be an issue in 2009," says Bain, and getting management buy-in on such systems as encryption (an expected purchase for 42% of companies), vulnerability scanners, ID and access-management systems, and activity monitoring tools is essential.

But security and compliance folk softly weeping at the prospect of groveling for recession-era budget can take heart, because they've got friends -- the kind with law degrees. States such as Massachusetts, New York, and New Jersey are getting serious about security and compliance for companies that do business within their borders, and the international interest isn't shrinking either.

High corporate self-esteem is nice, but it's no match for the feeling of quiet relief when the subpoena doesn't have your name on it.