The typical small and midsize business builds and administers its databases for performance and high availability -- not security. Make sure your database doesn't bite back
What do recent well-publicized data breaches have in common? With the exception of lost laptops, purloined handheld devices, dumpster divers, or someone physically nicking a PC from the office, all breaches involve a common entity: the database.
"At least one-third of the more than 200 million personal records compromised over the last two years were taken from a database," says Ted Julian, VP of marketing and strategy for Application Security, citing data breach statistics from the Privacy Rights Clearinghouse. Furthermore, the frequency and severity of breaches is increasing. According to the Identity Theft Resource Center in San Diego, nearly four times as many Americans had their personal information stolen in 2007 as in 2006.
Don't let databases fool you. Sure, their names may sound stately (Oracle, Ingres) or innocent (MySQL, SQL Server, Sleepycat). Yet no database, just out of the box, is secure. In addition, because databases concentrate so much potentially lucrative information in one place, they're prime targets. "Databases are really where the crown jewels of the business are stored," notes Mark Bowker, an analyst at Enterprise Strategy Group. That applies regardless of a company's size.
Thanks to the scale of their operations, however, larger organizations do get more data breach limelight. In September, for example, Ameritrade disclosed a breach involving more than 6.3 million customers' data. Meanwhile, the TJX Companies -- owners of retail stores T.J. Maxx and Marshalls -- recently offered to settle a massive class action lawsuit arising from its improper storage of, and failure to secure, 45.7 million customers' credit card data.
While storing sensitive or regulated information puts any company at risk, smaller businesses may have more to lose. "For small businesses, the impact of data loss is much higher, because they have less infrastructure," says Mark Kraynak, senior director of strategic marketing for Imperva. "They probably don't have backups, and they don't have the organizational wherewithal or response teams to handle a big public breach, or getting sued."
Next Page: 10 Steps Toward More Secure Databases
