Tuesday, January 15, 2008

Ten Database Security Tips

As a direct marketer, I hear about database breaches and immediately think "BIG BUSINESS". I envision large financial institutions that collect data on millions of customers and imagine a scenario where stolen data results in large-scale lawsuits and identity theft mayhem. But, honestly, it's just as important (and perhaps even more important) for smaller businesses to ensure that their customer data is secure.

This article brings that point home: 10 Database Security Tips For Smaller Businesses

While storing sensitive or regulated information puts any company at risk, smaller businesses may have more to lose. "For small businesses, the impact of data loss is much higher, because they have less infrastructure," says Mark Kraynak, senior director of strategic marketing for Imperva. "They probably don't have backups, and they don't have the organizational wherewithal or response teams to handle a big public breach, or getting sued."

The article then proceeds to share ten solid tips that smaller businesses can follow to help keep their customer data secure.

I urge you to read the whole article, but I thought the following tips were especially solid.

Tip 5: Restrict Database Access -- both to the production database, as well as underlying hardware -- on a need-to-know basis.

Tip 6: Prohibit Wholesale Database Copying. A production database typically has a designated owner or gatekeeper. Yet who watches a database after it's been copied?

We see copies made and distributed all the time in the world of direct marketing. Someone requests a copy of the customer base to be used, for example, as a suppression file for an upcoming prospect mailing. The customer list is sent to an external data processing firm, perhaps. The campaign is implemented and no one ever thinks about that customer list again. Typically, nothing bad happens, but it takes only one instance of data theft.

We urge you to make sure that you have appropriate non-disclosure agreements in place with anyone who touches your data. Make sure that they specifically talk about how the processor must keep the data secure. That way, if something does happen, the fault will be on your processing vendor, and not on you.

Tip 7: Inventory Existing Databases: Locking down databases out of the box and prohibiting wholesale duplication may sound fine, but what about securing databases and copies that already are at large?

Companies must regularly find and inventory all existing databases. Know that one production database may hide many copies. "Typically, in a lot of businesses, you have the production database, but guess what, that database usually has a lot of copies -- developers have copies, for example -- and many databases correspond and make calls to each other," says Bowker.

Knowing where your data exists is a good thing for many reasons. Namely, if a data breach does occur, you'll be very well-positioned to find out where the theft happened in the first place. You'll also be well-prepared for any subsequent lawsuit showing that your firm has stringent practices in place to prevent data theft. A simple inventory of data assets goes a long way in showing that you do put a value on customer data and that you're serious about protecting it.

Overall, it may be time for firms, small and large alike, to put some serious thought into your database practices. News about a data breach is definitely the type of news we'd like to avoid in 2008!


John Fenton said...

Nice take on the bmighty.com article. Fit's well with something i just posted so I thought I'd let you know that I am linking to your post in a follow up.

Suzanne Obermire said...

Thanks John for the comment and the link. Looking forward to seeing your post on security, too.