A recently published study shows that database administrators don’t fully understand security. According to these fresh findings, database administrators and IT decision-makers in general admit to knowing very little about security issues like change control, patch management, auditing etc. This survey was conducted on 214 Sybase administrators belonging to the International Sybase User Group.

“A majority of respondents admit that there are multiple copies of their production data, but many do not have direct control over the security of this information,” the survey report stated. “Only one out of five take proactive measures to mask or shield this data from prying eyes.”

According to the report’s author, Unisphere Research analyst Joe McKendrick, the ISUG survey is the first released of a series of similar database security surveys being conducted across various database user groups, including those running other platforms such as Oracle and SQL Server.

“This [ISUG survey] pretty much follows the same script [as the survey responses in the other database environments,” McKendrick said. “It’s very consistent — with a very common theme across all of these different user groups and technology bases — that there is a disconnect between management and security.”

The biggest problem seems to be the understanding of change management and patch management, as 37of th% e respondents did not know how to correct unauthorised changes to the database or how long this would take.

Another 35% stated that they rarely apply security patches or did not know how frequently these patches were applied. Almost two thirds of database manipulation have no automated software for database setup or patching.

Surprisingly, almost 50% of the respondents do not believe they will experience security breaches in the next year.

These results are not at all surprising according to Rich Mogull the founder Securosis analysys firm.

“We still see very much a split between the database and security worlds — and not nearly the level of communication between the two of them that we’d like,” Mogull says.

Security experts strongly state organizations need to do a better job in increasing access to data assets for both DBAs and IT professionals.

“We need to ask ourselves, ‘Where are these pieces of classified information and bank account numbers and sensitive organizational data being stored in the databases? Can we identify all the databases they’re in?’” Hutton explains. “And then we can figure out how to create a control structure that prevents, detects, and responds to incidents against that database.”

Experts have also pointed out many organizations fail to properly audit their data to ensure that the policies and controls put in place are actually working. According to McKendrick, the recent survey found that only 16% of organizations perform regular database audits once a month. Another 32% either say they don’t know how often audits are performed or never perform them at all.

The UK government decided to invest £63 million in fighting against cyber crime for the next four years. This is but a part of the  £650 million funding allotted to national cyber security, according to recent reports. Home secretary Theresa May, has revealed the amount at an informal meeting with the interior ministers of France, Germany, Italy, Poland and Spain, said a report on eGov monitor.

The Strategic Defence and Security Review last October marks the point when the UK government first stated its intention to get tough on cyber crime. Downing Street pledged a further £500 million to a national cyber security program despite having decided to cut budget in other areas.

The UK government also shows keen interest in building upon the existing knowledge and expertise in the Serious Organised Crime Agency and the Metropolitan Police Central e-Crime Unit (PCeU).

According to Neill Blundell, partner and head of fraud at international law firm Eversheds, the announcement is significant, given the scale of the austerity measures introduced by the coalition government.

“This type of crime is technically difficult to investigate and very expensive to tackle,” he said. “The government understands that the repercussions of failing to control such crime could be very serious indeed, not only to those it directly impacts on, but because the cost of such crime can impact on the wider business community and our economy as a whole.”

After a very successful year 2010 and many product launches and recognitions, CoSoSys announced it had been acquired by leading European Unified Threat Management vendor Astaro. Astaro plans to take over and keep both the product range of the Romanian company and their team.

The two companies will continue to develop CoSoSys’ existing range of endpoint and mobile data security solutions,and will also  collaborate on integrating CoSoSys’ device control, data loss prevention and endpoint security solution into Astaro’s Unified Threat Management solution, the Astaro Security Gateway, and on providing a level of overall security beyond any solution currently on the market.

“CoSoSys’ very talented team has created an impressive product portfolio to manage and secure the use of portable devices in companies,” said Jan Hichert, CEO of Astaro. “Unlike other solutions available in the security market, their Endpoint Protector solution is easy to use, centralized, offering comprehensive and unified endpoint and network protection. Their technology focus on both Windows and Mac platforms opens exciting possibilities for us to expand our security offering for our customers. We are looking forward to welcoming them to Astaro.”

“We are proud to work with Europe’s most skilled and dedicated network security team to build technologies that thousands of businesses will be using on a daily basis,” said Roman Foeckl, CEO of CoSoSys. “The acquisition by Astaro comes as recognition of the quality and innovation our solutions feature. We are all looking forward to continue innovating and developing solutions for the permanently evolving security challenges data security is faced with as part of Astaro.”

A recent survey by Forrester Research shows that the lack of qualified security staff is one of the main reasons IT managers cannot successfully secure the enterprise. Their survey of over 2,000 IT executives in the US, UK, Canada, France and Germany found that one of the key problems behind corporate IT security is getting qualified staff to do the job.Almost half of the It managers in the US and Europe are dealing with this issue.

“Security leaders feel that they simply don’t have enough staff to carry out day-to-day tactical activities while adjusting to major business and IT shifts and changing threats,” said Forrester principal analyst Khalid Kark.

According to the survey, the lack of funds is also an issue, as 29% of US companies and 23% of European companies have dealt with IT funds shortages. One in three US managers, as opposed to one in five European managers, reports that too much time is spent on day-to-day activities.

Employee perpetrated fraud has lost the average company about 5% of it’s revenue in the year 2009, the stealing of company sources representing up to 90% percent of the incidents. Employees tend to be tempted by privileged access to data and commit fraud. According to a report published by the Association of Certified Fraud Examiners (ACFE) this type of fraud is the most damaging, causing a loss over $4 million.

“They have a high level of access, which gives them a greater opportunity to commit fraud,” Ben Knieff, director of product marketing for fraud products at Actimize said.

In order to prevent such fraud there are a few proactive steps a company can take:

Limiting Access To Critical Data – as data is difficult to contain, companies should keep employees under constant surveillance; access to critical data should be limited to a number of authorized employees.

According to Shane Sims, director at PricewaterhouseCoopers’ forensic practice, even if companies cannot successfully control the movement of data inside their networks, knowing which employees access the most important data can be enough to prevent the most significant potential frauds.

Using the inside advantage – when it comes to fraud, insiders have an advantage as they know the network and corporate policies; however, companies can also collect a great deal of information that would not be available outside the network, in the case of external perpetrators.

Employee tapping – by training their employees, companies can benefit from having them detect malicious behavior of other employees.

According to an ACFE report, 40% of insider fraud cases are flagged by a third party, and half of these tips are made by an employee. According to the same report, 43% of the perpetrators are living beyond their means, and more than 30% have financial problems.

Last week, a worm called “Here you have” has started spreading. Among the first targeted companies was Intel. The damages were minor, in part because of the companies traditional defenses, but mainly because of well trained employees.  Malcom Harkins, chief information security officer at Intel states that the employees started calling IT as soon as they saw the worm.

“The employee base saw it, they reacted really quickly, and helped us contain it by alerting us to it and then telling others not to click on it,” Harkins says.

Due to the fact that mobile devices nowadays allow more and more people to work from virtualy anywhere, companies need to start treating their employees as security partners.

According to recent studies, employees are  increasingly bringing personal devices, such as smartphones, netbooks, or pads into the work place. The usage of web-services such as social networks has increased.

According to Ted Schadler and Josh Bernoff’s, new book – Empowered, managers should encourage and help their employees to use innovative technologies in order to helo their companies thrive.

Rather then be to obstructive and make employees “do an end-run” around them, managers should try to both protect and instruct their employees in the ways necessary to avoid threats, not only protect against them.

“We rethought our security strategy and, you know what, people are the new perimeter,” Intel’s Harkins says. “So if you embrace that part of that perimeter, I think your monitoring and detection increases dramatically, which then gives you a much better response time to mitigate exposures.”

Recruiting employees through training should provide and additional contingent of security helps besides the deployment of data security technology. It is also recommended that the security teams should use innovative technologies to help their mission.

To such and end, Intel Sets up occasional “Web jam” sessions, which are somewhat collaborative session that include both members of the security teams and other employees, in order to build awareness for security and corporate policies. Social networks have proven to be a great help toward this end, as people like discussions and debates.

Harkins and Schadler say that mistakes are part of the learning process. Taking responsibility will empower employess towards helping security rather then hindering it.

As a conclusion, we can safely say that in order to achieve a better level o data security it’s best to give your employees some freedom and allow them to make their own mistakes. They will feel more at ease and no try to go over your head using today innovative technologies and also, they will come to you, their manager with various problems or possible threats.

Tired of being the main target of cybercriminals and other mean characters of the virtual world, SMBs are reconsidering their stand of security and starting to seriously apply it to their corporate infrastructures. These are the finding of a new survey conducted by Applied Research and published by Symantec. The new report shows that SMBs views have drastically changed over the past year, leading to more spendings on IT security and giving security policies a higher priority.

“Last year when we conducted this survey, a lot of SMBs were very confident in their security posture, but they weren’t always clear on the threat,” says Monica Girolami, senior product marketing manager at Symantec, who worked with Applied Research on the study. “This year they realize that they have gaps in their security stance, and they’re getting more serious — in fact, they rated data loss and cyberattacks as their top risks, even above natural disasters.”

If you’re wondering why this major shift, ask your self no more! It’s a mere cause and effect phenomenon: 42% of SMBs have lost data and the cost of a breach exceeds 188,000 USD. So insted of paying for the damages, better invest less in security and prevent them. Although it is happening rather late, it is still a smart move!

The respondents ranked data loss and cyberattacks as their top business risks, ahead of traditional criminal activity, natural disasters, and terrorism, according to the report. SMBs are now spending an average of $51,000 a year — and two-thirds of IT staff time — working on information protection, including computer security, backup, recovery, and archiving, as well as disaster preparedness.

When it comes to high-level executives, the rules of the game often change. They are used to ask for exceptions to be made for them, backdoors to be opened and a whole different set of rules to be applied. This is what turns them in one of the biggest threats to corporate security.

According to Jayson Street, CIO and managing partner of Stratagem 1 Solutions, senior executives often circumvent security rules and policies to suit their needs and whims at the expense of security. The negative effect is that the special treatment leads to enabling cybercriminals to easily gain access to corporate networks by impersonating as management personnel. That is why, because of their systems privilege and access rights, they become ideal targets for all those wanting to hack into corporate networks.

“[Hackers are] not going after the bank teller, [they are] going after the bank president, because the tellers have USB drive rights deactivated, they have controls on where they can go on websites.” Street recounted how he was able to access the server room of a hotel simply by gathering information through social networks such as LinkedIn and Twitter of the owner, then sending an email to the access control personnel masquerading as the CEO of the tech support organisation. When the staff was later asked why he allowed Street access, he said: “Because [the boss] sends email messages like these all the time! He asked, and he’s the owner — you have to let him do what he wants.”

What can companies do to stop turning their top dogs into easy targets? Jayson Street recommends that IT security experts should stop enabling them and instead explain how fast they can become victims of cybercriminals. Lower rank employees should also be encouraged to report abnormal behaviors in order to maintain a safe environment. Also, educating all users about how and social engineering, impersonation, identity theft and other such menaces occur could also prove to be very effective.

There have been so many news lately about stolen hardware with important data, server hacks, security threats embedded in any new gadget that gets launched (like the iPad), that it could make anyone think all security companies and experts care about is pointing warning fingers towards anything cool someone would think of using. With all these stories, some of which we’ve shared on our Twitter stream, security becomes this two-headed monster that’s there to kill the fun in technology.

But that’s far from being true! Effective security is about playing it smart: seeing what could happen and preventing it, while allowing people to still have their share of fun. We tend to forget that, but that is the purpose to security in general and endpoint and data security in particular. iPods, iPads, colorful USB sticks, netbooks, smartphones, cameras, you should use it all as long as they help you work better and make your life easier. You should use them at home, in the office, while commuting, the idea is to know what threats they pose and how to prevent them.

Security experts to concentrate on everything bad that’s happening. The reason is simple, if companies and individuals don’t fear the consequences, they tend to ignore the risks. The all present mantra “It can’t happen to me” is their shield against all attacks and breaches. So there is a reason and a purpose behind showing off all the bad stuff, but that should never cast a shadow over the real goal of security: making your life safer and better.