In the early 1990s, Client Server computing became popular. Organizations linked multiple smaller computers together in a network to improve speed and access to data, and to lower their costs. Data Warehouses and Data Marts were built on open systems using distributed databases. Organizations raced to acquire virtual mountains of data to improve the quality and speed of decisions. Data has been made widely available throughout organizations - it is as if some even hang neon "Hot Now" lights in their hallways to alert privileged data consumers of the availability of new data that is ready for decision analysis. The problem is, during this Information Technology race to make data widely available to privileged users and decision makers, sufficient attention wasn't paid to security and accountability. The data buffet has been opened and no one is watching what data consumers consume.
With no one watching how valuable data is being used, changed, or accessed, this opens the door to data crimes, thefts, and malfeasance. After enough individual citizens and investors have been harmed, this is when government steps in and passes laws in an attempt to protect people. Today organizations are faced with a myriad of legislation and regulations because organizations have failed to be good stewards of their, and our, data assets. Sarbanes-Oxley, for one, in the wake of Enron, is intended to protect investors from fraudulent financial reporting - which is based on data, and which requires attestation to accuracy. HIPAA attempts to protect consumers from inappropriate use of PHI (Protected Health Information) by providing privacy protections and requiring audit trails for access to information. Other laws, regulations, and standards include GLBA, PCI, and CA/SB1386. Even the FDA has regulations requiring data accountability.
But never mind the regulation alphabet soup. The laws and regulations exist today because organizations have failed to be good stewards of valuable data assets; they have failed, and continue to fail, to make privileged data consumers accountable for their access to, and updates of, data.
Symantec Corporation did a study in late 2006 and found that identities were commonly sold for $14 to $18 each on the black market. An individual whose identity has been compromised can spend months and hundreds of dollars attempting to restore their financial lives. And identities aren't the only valuable information stored in organization databases - trade secrets, intellectual property, customer lists, recipes, drug formulas, oil locations, inventory, financial data, and many more types of sensitive, valuable data are easily accessible to privileged users. I know. I used to be a privileged user in my former career - I was a database administrator (DBA), and a DBA can often easily access or update any data he or she chooses. DBAs rule the data kingdom, but they are not an organization's only concern. Any user who is given, or gains, legitimate access to data can easily steal, abuse, or inappropriately modify data, and they can do so without fear of repercussions if organizations are not actively monitoring data access. When no one is watching, it is easier to commit crimes.
When was the last time you went to a bank and didn't notice security surveillance cameras? Have you noticed surveillance cameras in jewelry stores? At my local Chevron gas station, there's a sign on the gas pump that reads "Smile - You're On Our Camera." - Apparently gasoline is valuable and the owner wants to deter and prosecute thefts. I went to my local Target store a few weeks ago to buy some new underwear. Lucky me, I found a great sale on a six pack for only $19.99. I looked up to thank my lucky stars for finding such a bargain and observed a security surveillance camera. "Imagine that," I thought, "my underwear is more valuable than my identity."
Every US State will tell you that driving is a privilege, not a right. The same is true with access to data- it is a privilege. State and local governments place surveillance cameras at intersections with traffic lights to deter drivers from abusing their driving privileges. The cameras can also be used to issue tickets to red light offenders and apprehend drivers who cause accidents.
Whether used by government, stores, banks, gasoline or underwear merchants, it seems that cameras that record activity provide effective deterrents to crime and a means to apprehend and help prosecute those who do not obey the rules.
Remarkably, many organizations are already wise to the value of surveillance. It is common practice for companies to actively monitor employee email activity. Email surveillance is clearly communicated in HR policies. If monitoring email activity provides security and value to a company, why aren't more companies actively monitoring access and updates to their valuable data assets?
In 2006, the Ponemon Institute conducted a study of 14 separate data breaches and found that the average cost to an organization was $14.8M with the highest cost reaching $22M. Subsequently, TJMaxx stores reported the breach of 47.5M credit card numbers plus 455,000 merchandise return records which included drivers license information. Massachusetts, Maine, and Connecticut Attorney Generals have filed class action lawsuits seeking tens of millions of dollars in damages for these data thefts which occurred over a period of years - unbeknown to TJMaxx. Why? *** No one was watching. ***
The Ponemon Institute study further identified that the average data breach costs an organization $182 per compromised customer record. Remarkably, an identity thief pockets $14 which costs an organization $182 and the victim potentially hundreds of dollars and months of time attempting to recover their good name and credit.
But wait, it gets worse. When organizations were asked who was responsible for the response to a data breach, 30% of the time NO ONE was responsible. How's that for a reprehensible lack of accountability? The same study found that the cost of new preventative measures averaged $180,000, or just 4% of the total breach cost, and not all organizations put electronic protections in place.
The good news is that the Big 4 auditing firms have become increasingly wise to data risks and vulnerabilities. Through their risk management and regulation compliance consulting services, they are helping organizations mitigate data risks and avoid material weaknesses in financial reporting. One of these four, in particular, prudently and commonly requires monitoring of database activity - especially the activities of DBAs. Not only does database activity monitoring improve data security by deterring data malfeasance and facilitating the apprehension of offenders, but the activity records can be used to create audit trails which satisfy regulation compliance audit requirements.
In the absence of database audit activity records, an auditor, CEO, or CFO cannot know with confidence that financial data has not been tampered with by a privileged user. And, without confidence, and in the face of the threat of fines and jail, it is difficult or risky to attest to the accuracy of financial information. If an auditor identifies a material weakness in internal Information Technology controls, then this will need to be reported in the company's financial reports. Material weaknesses typically cause a company's stock price to drop by 4-6% following the weakness disclosure.
Why aren't more companies actively monitoring access and updates to valuable data assets?
Perhaps it is because that 4% cost of a preventative control isn't budgeted or will taint their otherwise glowing record profitability results. What, after all, is a few million in data breach costs to a multi-billion dollar organization? It is pocket change to the company but life changes to identity theft victims.
The data security problem becomes even more complicated when we consider Web Application Users. Just the other day I watched a name brand CRM application user download his company's entire contact database to his laptop. Then he put it on a jump drive and handed it to me. Information theft by privileged application users is very easy to do.
Organizations that are interested in deterring data crimes and capturing evidence to prosecute those who abuse their data privileges need to get serious about Database Activity Monitoring. DBI provides a solution named Brother-WatchDog® that can be implemented in 1-2 days at a price point roughly 75% less than Oracle's Audit Vault. With a digital surveillance camera in place that records access and updates to data assets, organizations can improve data security and regulation compliance.
Thanks for reading this long blog post. National and International Data Insecurity is obviously a topic I'm quite passionate about.
President & CEO, DBI