Focus on Network Security Overlooks Importance of Protecting Data, Oracle Study Finds

July 30, 2013 Alex Woodie

In a new study commissioned by Oracle, researchers found that more than two-thirds of a typical organization’s IT security resources are allocated to protecting the network layer, leaving less than one-quarter of the resources to address the security needs of core infrastructure components, such as servers, applications, and databases.

The study involved more than 110 companies that were contacted by CSO Custom Solutions Group on behalf of Oracle. The study asked the companies how they allocate their resources, including money and staff time, to address security concerns.

Despite the fact that a breach of a database would be potentially catastrophic for an organization, two-thirds of organizations reported taking an “inside out” approach to security, which places a heavy emphasis on the network layer. By comparison, 35 percent reported using an end-point security strategy, which focuses more on protecting critical applications and data.

Mary Ann Davidson, chief security officer at Oracle, says organizations would be better off focusing their attention on their most strategic assets, and working to implement stronger database and application security, and work on identity management.

“Organizations can’t continue to spend on the wrong risks and secure themselves out of business,” Davidson says in a press release. “When attackers do break through the perimeter, they can take advantage of weak security controls against the core systems by exploiting privileged user access, vulnerable applications, and accounts with excessive access.”

The survey also found that, at 35 percent of organizations, security-related expenditures are influenced by sensational informational sources rather than real organizational risks. What’s more, 42 percent of survey respondents say they believe that they have more difficulty preventing new attacks than in the past.