An article that appeared recently in InformationWeek magazine examines what is sometimes the most serious threat an organization faces in terms of their own data security – the internal authorized user base. The following article from Ericka Chickowski explains that hackers may covet your data, but insiders are the most common source of database leaks.

How IT pros who manage database security rank database threats:

• An insider attach by someone with root access to the database or database server
• A logical attack on a Web-facing app connected to a database
• Database containing confidential data that IT is unaware of
• A misconfigured database
• A vulnerable database that hasn’t been patched

(Data: Enterprise Strategy Group survey of 179 IT pros)

In their quest to protect sensitive information from outside attackers, many organizations overlook the most imminent threat to their databases: authorized users.

“It sometimes amazes me how little concern companies have for their production data,” says James Koopmann, owner of database consulting firm Pine Horse. “They allow nearly anyone to plug in shareware, freeware, and demo tools to access sensitive production data without any concern for how it might be retrieving, caching, or altering data.”

As discussed in the latest Dark Reading Database Security Tech Center Report, five common factors are most likely to lead to the compromise of databases: ignorance, poor password management, rampant account sharing, unfettered access to data, and excessive portability of data.

Take the lack of security education. In our InformationWeek Analytics 2009 Strategic Security Survey, we asked respondents to rate the time spent on various security efforts. User training came in ninth out of 10 choices, a few points behind log file analysis. Yet in another study, CompTIA’s seventh annual Trends in Information Security report, published earlier this year, 85% of those organizations surveyed that do offer security training to non-IT staff saw a reduction in major breaches.

The goal of training must be to ensure that users who work with databases understand the sensitivity and/or financial value of the data they work with, and therefore are less apt to become casual in their security practices.

Poor password management is another common problem. Either IT departments allow database users to set easy-to-guess passwords, or they make passwords so complicated that workers end up writing them down and sticking them to the computer screen.

“We have to strike a balance between ease of remembering for database users versus how complicated we make the passwords to protect against outsiders,” says George Jucan, CEO of Open Data Systems, a database consulting firm.

Account sharing also creates security issues. While some users take advantage of their co-workers’ credentials, others gain access to data via highly privileged application server credentials. In either case, data compromises can occur without leaving a clear trail to the perpetrator. All that log file analysis won’t help you now.

Unfettered access to data is another common problem. In many cases, employees are given access to more information than they need to do their jobs.

“Most of the databases today provide role-based access control to databases, and few companies actually take advantage,” Jucan says. “If somebody doesn’t even see that certain data exists in the database, they will not be tempted to print it and leave it on the printer.”

Enterprises should also look into data-masking technology to limit the user’s exposure to highly sensitive and highly regulated data sets, such as Social Security numbers, without limiting the user’s ability to do his work.

Finally, take a closer look at technologies and practices for protecting data as it becomes increasingly portable. One of the biggest dangers companies face today is the ability of authorized users to simply download large chunks of information from the database onto spreadsheets, laptops, or portable storage devices. Experts say that tools such as database activity monitoring, data loss prevention, and encryption all can help protect portable data.

Related posts:

1. Ten Guidelines for Managing Passwords in the Enterprise
2. Protecting Sensitive Data
3. Sensitive Data Often Exits with Employees

Related posts brought to you by Yet Another Related Posts Plugin.

If you’re an independent consultant who is pricing yourself directly to a potential client or to a consulting firm in need of placing your type of skills somewhere, then you’ll understand this process. The client may suggest that he’s interested in your service but not happy with the rate you’ve priced yourself at. This is the million-dollar problem that happens whether you’re a consultant selling your expertise or a job-hunter being asked during an interview what your salary range is. It’s awkward any way you approach it. Unfortunately, this is always a normal part of the negotiating process.

To Negotiate or Not to Negotiate

In the Western culture it is not as clear as other cultures when negotiation is appropriate and when it is not. Therefore, many consultants find it very difficult to distinguish between a negative response from a potential client that truly is a flat-out rejection and one that is merely the beginnings of the negotiation process. You sometimes just have to trust your instincts.

Always remember, you are not required to negotiate your rate. If you’ve set your price well in line with market rates for your type of service and expertise level, then it is ok to stand your ground and state confidently that your rate is what you charge and there is no negotiation.

That said, you may want to consider the economy and your situation into that plan. If you need the work badly and you’d rather do it for less than not at all, you may want to go for it. I’ve had clients offer me more than I was even going to ask for, thus eliminating any need for negotiation or even price-setting. And I’ve also had clients negotiate hard and get an extremely favorable rate from me, but I was willing to do the work for less because I knew I would be working almost exclusively in a telecommuting role with no travel or driving expenses and could schedule when I wanted to do most of the work leaving me free for other consulting.

Dealing with Rate Objections

One way to deal with client objections to your rate is to remind them what that rate will buy them. Explain that rate is for actual productive work performed per hour, not the diluted effort they are getting from employees at 60-70% of productivity. Also explain you expertise in their particular area of need meaning you can perform the work much more efficiently and quickly, thus saving them time and mostly likely money and re-work over an employee or a less experienced and lower-priced consultant. To add to that, explain that you may be re-using code or existing templates that you’ve already developed thus utilizing proven tools and saving even more time and money.

Another approach is to explain that the your consulting services come with no overhead price built-in that would be realized when utilizing their own employees. Those overhead costs on their employees is in addition to the salaries they are already paying, but are none existent when using your services.

The Jealousy Factor

One thing to be careful of, however, is that the client you’re dealing with may be wrongfully looking at a $80 rate and thinking that translates easily into a $160,000 salary which may be much higher than the hiring manager you’re talking to. This can challenge their ego and put them on the defensive. If necessary, explain that the rate must cover professional overhead including insurance, professional fees, hardware and software – expenses that employees often do not experience. This can go a long way to alleviating the objection if it does stem from envy or feelings of inferiority.

If you still can’t get past the rate issue, and you don’t feel that it is in your best interest for this particular opportunity to price yourself lower, then it may be best to just walk away. You can try to evangelize the client all you want on why your rate is appropriate, but they just may never get it or they may not be able to afford it. It’s far better to know that up front than to get left without a payment later on – which is always a danger for consultants in nearly every industry.

Related posts:

1. Five Signs You’re Not Cut Out to be a Project Management Consultant
2. The Art of Negotiation – Part 1
3. Four Key Areas Where a Business Consultant Can Save Your Organization

Related posts brought to you by Yet Another Related Posts Plugin.