Mage Data strengthens its data security posture with the ISO 27001 certification. READ MORE >

July 17, 2023

Database Security: Why Should It Be High Priority for the C-Suite?

Database security is rarely a top priority for business stakeholders. After all, isn’t that what the IT department is paid to handle?

That attitude is increasingly viewed as short-sighted, to be polite. The risks that come with loose data governance and poor database security touch upon everything that company leadership should care about: Intellectual property, brand reputation, efficiency, and costs.

Consider an analogy: To secure your home, you might hire a locksmith to put a better lock on your front door. But once that is done, the job of securing your home is not done. Who needs a key to that door, and how do you ensure that only the right people have those keys? How do you secure other entrances, like windows? What do you do if a lock turns out to be faulty? Most importantly, how do you discourage intruders and burglars in the first place?

What this analogy brings into sharp relief is that, while an expert can help implement a part of a security plan, the plan, and its maintenance, are ultimately up to us. The same goes for large organizations: While experts can help advise on, structure, and implement a security plan, it will be leadership’s job to create, prioritize, and enforce that plan. In short, database security is not a technical detail; it is a strategic choice.

Why Database Security is a Strategic Choice for Companies in 2023 and Beyond

To understand why database security is a strategic choice, it helps to understand how a lack of security presents risks that interfere with company goals and aspirations:

Intellectual property and data theft. One of the most common risks of poor database security is data theft. Theft of intellectual property could mean that your trade secrets, proprietary methods, and even legally protected material like source code could result in enormous damage to your business if stolen. Many times, the theft happens either because a current employee was careless, or because a past employee still retained access to the data when they should not have.

Repercussions of non-compliance. Regulatory fines, like those issued under the GDPR, have climbed into astronomical ranges in recent years; one judgment against Amazon resulted in a €746,000,000 fine by itself. There are a total of 128 countries worldwide that either have data privacy legislation in place, or have it in the works. (For comparison, only 126 have laws that protect against workplace discrimination, and only 119 have “freedom of information laws.”) A company doing business in any of these countries might be exposed to the risk of fines if it does not do what is required to protect private data.

Downtime and remediation costs. One of the unfortunate realities is that discovering a breach is just the start of a longer process. Sometimes, the fix is simple and can be deployed within hours (although the remediation cost might still be high!). Other times, the fix could take hours or days to prepare, test, and deploy. In any kind of live-service environment, this can create a very difficult situation. Companies can’t let breached systems continue to operate, as they risk increasing the amount of exposed data. If a fix is a long way out, that can lead to significant lost revenue and possible disruption that is noticeable to your customers.

Brand reputation and brand damage. While it might seem that the costs of a data breach are isolated in remediation and regulatory fines in the months after a breach is disclosed, the effects can easily last for far longer. Customers tend to lose trust in the brand, especially if in an industry where trust is high priority—think financial services or healthcare. Vendors can lose faith, too.

The results can be seen in shareholder value. After a data breach is disclosed, share price of a breached company falls by -3.5% on average over the next 110 days, and underperforms on the NASDAQ by approximately the same percentage. After one year, share price falls -8.6% on average, and underperforms on the NASDAQ by the same. After two years, average share price falls -11.3%, and underperforms on the NASDAQ by -11.9%. While these are only averages, the lesson is clear: Companies that do not govern their data well tend to lag behind the average, with results that only get worse over time.

Isn’t This Just Cybersecurity? 5 Considerations for Securing Your Database

One might wonder if all of the above risks are just overarching reasons to invest in cybersecurity more generally. They are—but there are aspects of securing a database that are, unfortunately, routinely overlooked:

  1. Multiple locations. Rarely is it the case anymore that data simply “sits” in a single database or data lake. Consider data for a hotel chain, for example. A bit of client data might sit in one database for marketing purposes, another database for reservations and customer service, and yet another database for the rewards program. Each of these databases might have duplicate data in production and testing environments. All of that data is probably spread across both on-prem and cloud resources. The takeaway here is that one cannot assume that all data locations have been revealed simply by asking various department heads, or by making armchair assumptions.
  2. Access misconfigurations. Many data breaches happen because a database (or other resource that contains sensitive information) doesn’t have sufficient controls over who can access the data. Access misconfigurations are one example, where the database itself has not been properly configured to restrict access.
  3. Alternative access paths. This usually happens because of conflicting protocols, or multiple avenues for accessing data. These “backdoor” ways of accessing data can easily lead to a data leak, or worse.
  4. Real data vs. test data. Outside of the production environment, test data (or data that has been appropriately masked or anonymized) should be used.
  5. Third-party access. Sometimes, a third party will need access to a portion of your database—for analytics purposes, for example. Raw data should not be sent, especially if that data needs to “cross” an international boundary.

What this means is that, although database security is a strategic decision, there are key details that require specific attention when it comes to data and databases by themselves.

Learning More About Database Security for Business

Fortunately, there is a proven process for securing data in a large organization. While this process will not eliminate database security threats entirely, it can drastically curb them—meaning that the process itself will, over time, achieve a huge ROI.

To learn more about that process, check out our white paper: Database Security Fundamentals.