An open letter to Oprah Winfrey

Dear Oprah Winfrey:

Thanks to my wife, I’m a big fan of yours.  You have an uncanny and remarkable way of bringing about changes for the betterment of individuals and society at large.  I’m writing you today because we have an epidemic problem in America, and around the world, with identity thefts and data crimes.  As of this writing, according to the Privacy Rights Clearinghouse (http://www.privacyrights.org/ar/ChronDataBreaches.htm) more than 154,000,000 identities have been compromised.  This is just the beginning.

In the early 1990s, Client Server computing became popular.  Organizations linked multiple smaller computers together in a network to improve speed and access to data, and to lower their costs.  Data Warehouses and Data Marts were built on open systems using distributed databases.  Organizations raced to acquire virtual mountains of data to improve the quality and speed of decisions.  Data has been made widely available throughout organizations - it is as if some even hang neon “Hot Now” lights in their hallways to alert privileged data consumers of the availability of new data that is ready for decision analysis.  The problem is, during this Information Technology race to make data widely available to privileged users and decision makers, sufficient attention wasn’t paid to security and accountability.  The data buffet has been opened and no one is watching what data consumers consume. 

With no one watching how valuable data is being used, changed, or accessed, this opens the door to data crimes, thefts, and malfeasance.  After enough individual citizens and investors have been harmed, this is when government steps in and passes laws in an attempt to protect people.  Today organizations are faced with a myriad of legislation and regulations because organizations have failed to be good stewards of their, and our, data assets.  Sarbanes-Oxley, for one, in the wake of Enron, is intended to protect investors from fraudulent financial reporting - which is based on data, and which requires attestation to accuracy.  HIPAA attempts to protect consumers from inappropriate use of PHI (Protected Health Information) by providing privacy protections and requiring audit trails for access to information.  Other laws, regulations, and standards include GLBA, PCI, and CA/SB1386.  Even the FDA has regulations requiring data accountability.

But never mind the regulation alphabet soup.  The laws and regulations exist today because organizations have failed to be good stewards of valuable data assets; they have failed, and continue to fail, to make privileged data consumers accountable for their access to, and updates of, data. 

Symantec Corporation did a study in late 2006 and found that identities were commonly sold for $14 to $18 each on the black market.  An individual whose identity has been compromised can spend months and hundreds of dollars attempting to restore their financial lives.  And identities aren’t the only valuable information stored in organization databases - trade secrets, intellectual property, customer lists, recipes, drug formulas, oil locations, inventory, financial data, and many more types of sensitive, valuable data are easily accessible to privileged users.  I know.  I used to be a privileged user in my former career - I was a database administrator (DBA), and a DBA can often easily access or update any data he or she chooses.  DBAs rule the data kingdom, but they are not an organization’s only concern.  Any user who is given, or gains, legitimate access to data can easily steal, abuse, or inappropriately modify data, and they can do so without fear of repercussions if organizations are not actively monitoring data access.  When no one is watching, it is easier to commit crimes.

When was the last time you went to a bank and didn’t notice security surveillance cameras?  Have you noticed surveillance cameras in jewellery stores?  At my local Chevron gas station, there’s a sign on the gas pump that reads “Smile - You’re On Our Camera.” - Apparently gasoline is valuable and the owner wants to deter and prosecute thefts.  I went to my local Target store a few weeks ago to buy some new underwear.  Lucky me, I found a great sale on a six pack for only $19.99.  I looked up to thank my lucky stars for finding such a bargain and observed a security surveillance camera.  “Imagine that,” I thought, “my underwear is more valuable than my identity.”

Every US State will tell you that driving is a privilege, not a right.  The same is true with access to data.  State and local governments place surveillance cameras at intersections with traffic lights to deter drivers from abusing their driving privileges.  The cameras can also be used to issue tickets to red light offenders and apprehend drivers who cause accidents.  Whether used by government, stores, banks, gasoline or underwear merchants, it seems that cameras that record activity provide effective deterrents to crime and a means to apprehend and help prosecute those who do not obey the rules.

Remarkably, many organizations are already wise to the value of surveillance.  It is common practice for companies to actively monitor employee email activity.  Email surveillance is clearly communicated in HR policies. If monitoring email activity provides security and value to a company, why aren’t more companies actively monitoring access and updates to their valuable data assets?

In 2006, the Ponemon Institute conducted a study of 14 separate data breaches and found that the average cost to an organization was $14.8M with the highest cost reaching $22M.  Subsequently, TJMaxx stores reported the breach of 47.5M credit card numbers plus 455,000 merchandise return records which included driver’s license information.  Massachusetts, Maine, and Connecticut Attorney Generals have filed class action lawsuits seeking tens of millions of dollars in damages for these data thefts which occurred over a period of years - unbeknown to TJMaxx.  Why?  No one was watching. 

The Ponemon Institute study further identified that the average data breach costs an organization $182 per compromised customer record.  Remarkably, an identity thief pockets $14 which costs an organization $182 and the victim potentially hundreds of dollars and months of time attempting to recover their good name and credit.

But wait, it gets worse.  When organizations were asked who was responsible for the response to a data breach, 30% of the time NO ONE was responsible.  How’s that for a reprehensible lack of accountability?   The same study found that the cost of new preventative measures averaged $180,000, or just 4% of the total breach cost, and not all organizations put electronic protections in place.

The good news is that the Big 4 auditing firms have become increasingly wise to data risks and vulnerabilities.  Through their risk management and regulation compliance consulting services, they are helping organizations mitigate data risks and avoid material weaknesses in financial reporting.  One of these four, in particular, prudently and commonly requires monitoring of database activity - especially the activities of DBAs.  Not only does database activity monitoring improve data security by deterring data malfeasance and facilitating the apprehension of offenders, but the activity records can be used to create audit trails which satisfy regulation compliance audit requirements. 

In the absence of database audit activity records, an auditor, CEO, or CFO cannot know with confidence that financial data has not been tampered with by a privileged user.  And, without confidence, and in the face of the threat of fines and jail, it is difficult or risky to attest to the accuracy of financial information.  If an auditor identifies a material weakness in internal Information Technology controls, then this will need to be reported in the company’s financial reports.  Material weaknesses typically cause a company’s stock price to drop by 4-6% following the weakness disclosure.

Why aren’t more companies actively monitoring access and updates to valuable data assets? 

Perhaps it is because that 4% cost of a preventative control isn’t budgeted or will taint their otherwise glowing record profitability results.  What, after all, is a few million in data breach costs to a multi-billion dollar organization?  It is pocket change to the company but life changes to identity theft victims. 

Perhaps it is because they are confused by the different methods of doing database activity monitoring and auditing.  Basically, there are five different ways to monitor database activity.  I’ll save the best for last:

1. Network Activity Sniffing.  These solution vendors will tell companies that their solution is the easiest to implement and will have the least performance impact on the business’s systems.  The trouble with these solutions, however, is that they only detect database activity which is unencrypted (interpretable by the naked eye) and which actually traverses the company network.  Since most DBAs work right on the database servers using a client computer with a remote encrypted connection to the database server, sniffers won’t catch these folks stealing your identities or trade secrets.  Major database vendors like IBM and Oracle are also, recently, providing built in network traffic encryption options to protect data from prying eyes.  If a database auditing solution relies on examining network traffic to build its activity reports, cross it off your shopping list - there are too many holes.
2. Triggers.  Triggers can be defined by a DBA to store audit activity whenever a change is made to data, such as adding a new employee or modifying an employee’s salary.  Triggers can have high overhead and slow a business system down.  And since triggers are only activated by changes to data, the trigger method cannot be used to create required audit trails of access to information for HIPAA and PCI.  In simpler words, with triggers you can’t tell when someone is stealing your data.  Cross trigger based “solutions” off your shopping list.
3. Log Readers.   Databases keep records of changes in recovery logs for recovery purposes.  Like the “Sniffers,” “Solutions” that read activity logs will promise very low performance overhead.  But, as with triggers, no information is available regarding access to data.  Cross these off your shopping list since they can’t help you understand who is stealing your trade secrets.
4. Application Activity Logging.  Some applications that businesses use for keeping track of employees, financial records, customers, and the like provide a built-in audit trail of application user activity.  While these audit trails may be helpful for understanding how application users are using or abusing their privileges, application activity logging only provides activity logs for application users --- no information is provided for DBAs.  Since you can’t know if a DBA is modifying financial data or stealing identities and trade secrets with this type of solution, cross it off your shopping list.
5. Native Database Transaction Activity Monitoring.  This is the most complete, accurate, and bullet proof method for creating audit trails of privileged user access and updates to data.  If properly configured, overhead will be nominal (3-9%).  Get your checkbook out for this type of solution since it will help you meet regulation audit requirements and improve data security.

My company, DBI, provides software that acts like a surveillance camera on databases so that management and auditors can know who is appropriately using, or abusing, their data privileges.  Brother-WatchDog® provides immutable audit trails and activity reports that will inform auditors of financial tampering, data thefts, and other suspicious and inappropriate activities. 

It’s time to reverse the trend of rampant data breaches and organization data irresponsibility.  Together, with your help, I am confident we can increase executive and consumer awareness of the steps to take to deter data crimes and limit exposure to financial loss and hardships. 

Rumor has it that it is difficult to get on your show.  I will relentlessly post my letter to you by mail, magazine ads, and articles until I get your attention diverted to this important cause [grin].  While I realize that many busy executives may not be able to view your show on weekday afternoons, I’m confident their spouses will Tivo it and make them watch the segment in the evening.  That’s how I became an Oprah fan.

Best regards,

Scott Hayes
President & CEO, DBI
Email: Scott.Hayes@Database-Brothers.com
Phone: 512-234-2324
www.Database-Auditing.info