How do you quickly clear a room-full of application developers, short of shouting ‘fire’ and setting off a smoke-bomb? The answer, of course, is to stand up in front of them and announce that you are giving a talk about database access-control and security. Once, at a conference, I sat through a brilliant talk on security where I was the only member of the audience other than two sleeping DBAs and ten people with laptops intently arranging their social lives on Facebook.
Security experts are often viewed with grave suspicion by developers. They seem to make footling objections, go on about intrusions and compliance, and seem hell-bent on delaying your project. If anyone ever decided to make a horror film especially for database developers, it would probably involve a mean-looking, cold-hearted, security expert or compliance officer.
This is all going to change very soon.
Such is the misery caused to the public by the consequences of lax security, that the world is no longer patiently waiting for IT people to show an interest in data access-control and security. Breaches are increasingly common, and so all organisations in the major trading nations will soon be compelled to plan and test for that eventuality. Otherwise, the organisation will be fined and those responsible for neglecting security will face possible criminal prosecutions. International legislation is now determined to catch up with the technology.
It is hardly surprising that the legislation is coming in. In the UK, for example, 90% of large organisations have reportedly experienced a security breach, and 25% of companies experience a cyber-breach at least once a month. The health sector has the most data breaches, followed by local government. It is not just external hackers we need to worry about; over 40% are caused by employees, contractors, and third party suppliers – and half of these are accidental.
It is likely that European countries will soon agree on legislation that will compel companies to report all data breaches to both government and shareholders. As well as fines for companies that have failed to provide adequate security measures, CEOs of organisations will lose part or all of their bonus beyond basic salary. Legislation is being introduced to make it easier for victims of a breach to claim compensation.
Organisations can no longer escape sanction by claiming that they weren’t aware of security risks. Database professionals bear the responsibility to their employers to point out these risks and their scale. Even if there are security experts within the organisation, it is the DBAs and database developers who have the necessary understanding of data to give leadership in ensuring that the data of the organisation is secure. It’s time to get interested in security.