Your database -- and its privacy -- is crucial to your company's survival and success, but the bad guys are figuring out new ways to break into it. We talked with database security experts about how to protect and monitor a database and mitigate the damages should disaster strike
If you thought only larger companies had to worry about database breaches, think again. Criminals are figuring out new and creative ways to break into all kinds of databases -- and they know that small and midsize companies are particularly vulnerable because they often lack an in-house IT staff. Add to that pending legislation that will require companies of all sizes to adhere to regulations in the event of a database breach that involves someone's personal information, and you have a stronger need than ever for some solid database security. Fortunately, there are tools out there to ensure just that and Dan Sarel and Slavik Markovich, VP and CTO, respectively, of database security company Sentrigo, know all about them. bMighty talked with the pair about why database security is more important than ever and what a smaller company can do, frequently for free, to ensure that its private information stays that way.
bMighty: Why do we keep hearing so much about database breaches lately? And how does that impact smaller businesses?
Dan Sarel: Database breaches have been happening ever since the first database was created. But in the United States there are now regulations that force companies to publicize that they have been breached. For example, in the old days TJX [which suffered a massive database breach in 2007] would have suffered losses, but it wouldn't have looked so bad. The credit card industry also has a data security standard that they have implemented with their first-tier customers. But [soon] anybody who saves data that is sensitive and is payment card-related will have to adhere to certain standards, and much of it is about database security and how you store data. It's stuff that most companies aren't doing but they will need to be doing. It started with the big guys, but it is trickling down.
bMighty: What about government regulations? Do smaller businesses have to start worrying about living up to those standards?
Sarel: Yes. An example is a state of California bill that says that if breaches occur that expose data that belongs to a California resident, if any private information can be accessed, they need to let that person know. And that's any size company anywhere in the country. At least half of other states have enacted similar legislation. The bottom line is if smaller businesses are not dealing with the issues [of database security] either because of legislation or PCI DSS [Payment Card Industry Data Security Standard] -- they will.
bMighty: Why are there more database breaches now? Are there more bad guys?
Sarel: More bad guys are understanding the potential. It used to be they sent guys with guns into a bank. Many realized it's easier to break into a database.
Slavik Markovich: It's becoming more of a problem with insiders -- even in a smaller company. Everyone has a firewall, but it's easier to try to breach a firewall from the inside. You just apply and get a job. They are also breaking in through a wireless network of a business. There are various ways. The point is, if you have a database they'll be trying to get in. You have to know it could be your employees as well as coming from the outside.
bMighty: Are smaller businesses more vulnerable to database breaches?
Sarel: In many cases, in small and midsize businesses, their expertise is not necessarily IT. Many times they employ consultants, and this could be a security issue.
Markovich: Also, if someone drops their USB key, someone can pick it up and stick it in their desktop. Someone can run a code, like a Trojan, and it's one of the easiest ways to attack an organization. There are lots of other ways. There was a survey [from security guru David Litchfield] that showed there are a lot of databases exposed on the Web, and more of them are from small and midsize businesses. It showed that many databases that are directly exposed to the Web are easy to attack and gain access to. There are numerous vulnerabilities to exploit. It's more common in small and midsize businesses because they do the easiest and cheapest things. They have databases they need to protect, but small and midsize businesses don't have the big budgets.
Next Page: What Smaller Businesses Can Do to Protect Their Databases
