Deloitte’s 2007 Global Security Survey has found that while local financial institutions are global leaders in privacy compliance, they are classed as worst for having the required skills to effectively handle existing and foreseeable security threats.

The survey also reveals the ‘Security Paradox’ – a situation in which Business Executives are becoming more aware of IT Security issues, but where support for a solution still lies with the IT department. This is highlighted by the fact that only 63% of respondents have an information security strategy, and only 10% have information security led by a business line leader.

Overall key findings of this year’s survey

• the Asia Pacific region’s physical isolation is hampering institution’s ability to quickly access the right skills, especially in comparison to the UK and European markets
• skills shortages and strategic planning were two distinct issues to have emerged for financial institutions in the Asia Pacific region
• customer behaviour was one of the most worrisome elements for organisations when it came to breaches
• a high number of repeated occurrences of breaches can be attributed to employees: both misconduct (intentional action) and errors and omissions (unintentional action). 

Key findings in Asia Pacific (excluding Japan)

Of the 169 Financial Services Industry (FSI) organisations surveyed from 32 countries, 8% were from the APAC region (excluding Japan).

• 29% top 100 FSI
• 26% top 100 Banks
• 14% top 50 Insurance etc
• 40% top payments and processors.

The Asia Pacific region rated best in class for managing privacy compliance (100%). 

However, there are two areas where respondents were classed as worst compared to global respondents:

1. only seven percent of participants, the lowest level among all regions, felt they presently have the required skills and competencies to effectively handle existing and foreseeable security requirements (7% compared to global average of 30%)
2. none (0%) have security strategies led and embraced by line and functional business leaders.

Over three-quarters (78%) of respondents in the APAC region indicated that security has risen to the C-suite or board level as a critical area of business.

Almost the same percentage of financial institutions (62%) also confirmed they already have a security strategy in place, as well as the commitment and funding to address regulatory requirements.

Key global findings of the survey:

• identity theft and management is now the number one issue organisations are concerned about (50%) 
• e-mail attacks top the list of external security breaches financial institutions experienced over the past 12 months (57%)
• two-thirds (66%) of respondents do not feel they should be accountable for protecting the computer of customers who bank on-line
• virtually all respondents (98%) indicate increased security budgets, but 35% feel that their investment in information security is lagging behind business needs
• “shifting priorities” and “integration problems” were identified as top reasons for information security projects failure (48% and 32%, respectively).

2007 Top 5 security investment issues 

1. Access and Identity Management: 50% (up from number 5 ranking last year)
2. Security and regulatory compliance: 49% (which has remained in top 5 since inception of survey)
3. Training and Awareness: 48%
4. Governance: 37%
5. Disaster Recovery and Business Continuity: 37%.

2007 Top 3 breaches

1. email attacks (52% reporting repeated occurrences)
2. viruses/worms (40% experiencing repeated occurrences)
3. phishing/pharming (35%).

On a positive note, breaches due to viruses/worms, phishing/pharming or spyware/malware, have fallen from previous year’s levels of 63%, 51% and 48% respectively.