Forrester said many companies do not have a clear policy on who is responsible for data back-up. This can sometimes result in databases that expose confidential or sensitive data.
In a report on the subject, Forrester analysts Noel Yuhanna and Kimberly Dowling, said, "Back-up tapes should be safeguarded against unauthorised access, similar to production databases [databases that contain live information]. Typically, the database back-up process involves multiple groups and therefore requires co-ordination and control to ensure that data remains protected.
"Customers are keeping data tapes longer because of regulatory requirements such as Sarbanes-Oxley and Basel 2, which makes it even more challenging to retain and control such back-ups."
Forrester has outlined a series of recommendations for IT managers to help companies tighten their database security.
These include not using "live" or commercially sensitive data to test back-up databases; making someone responsible for securing and keeping track of back-up tapes; and agreeing a policy on data back-up and making this part of an overall security policy.
It also recommended that each back-up tape should have a unique serial number and creation date, and that data is erased from files before the tapes are recycled.
For added protection, data files should be encrypted.
"If tapes were to get into the hands of unauthorised personnel, privileged data could potentially be viewed, even without first starting or using a database," Forrester said.
"In most DBMS [database management system] products, one can view data by scanning the data files using free tools that can read binary files.
"Encrypting data files before putting them on tape is a viable option that can mitigate risk."