Oracle databases in the UK are every bit as insecure as those in the US, an expert has warned. He was speaking after a recent US survey revealed that two-thirds of DBAs were not installing Oracle patches.

Database security supplier Sentrigo carried out a survey of 305 Oracle database administrators at 14 major Oracle user groups in the US between August last year and this January, and found 206 of the 305 DBAs surveyed had never applied an Oracle Critical Patch Update. These updates are issued by Oracle on a regular basis to ensure database security.

"These numbers didn't surprise me at all," said Steve Moyle, CTO and founder of Secerno, which provides database security and monitoring. "To apply the patches requires planning and risks such as business down time," he said. Moyle said organisations need to put efforts into discovering if elements of the patch will affect their business uptime.

The US survey discovered that applying the patches could mean months of work and downtime, which organisations cannot afford. "Global organisations have thousands of databases, each with different levels of complexity. Patch administration is therefore a process of keeping track of what is required," Moyle said.

Moyle was keen to point out that these databases are connected to corporate and often international networks, and therefore the Internet; allowing access to the databases to anyone on the Internet if the database is not properly protected.

Moyle said the survey highlights how responsibility of ensuring databases are protected needs to be with CIOs, because the risks of not protecting them are too high.