Internal information security attacks are outgrowing external attacks at the world’s largest financial institutions, according to the 2005 Global Security Survey conducted by the Financial Services Industry practices of the member firms of Deloitte Touche Tohmatsu (DTT). Thirty five percent of respondents confirmed encountering attacks from inside their organization within the last 12 months (up from 14% in 2004) compared to 26% from external sources (up from 23% in 2004). The third annual Global Security Survey acts as global benchmark for the state of I.T. security in the financial sector.
“Financial institutions have made great progress in deploying technological solutions to protect themselves from direct external threats. However, the rise and increased sophistication of attacks that target customers and internal attacks indicate that there is a new threat that has to be addressed,” says Adel Melek, Global Leader of Deloitte's IT Risk Management & Security Services, Global Financial Services Industry.
50% of Canadian respondents experienced some form of security breach
Half of Canadian respondents acknowledged that they have experienced some form of information security breach. On the flip side, with privacy and Sarbanes-Oxley compliance driving regulatory initiatives in Canada, the majority of respondents (78%) indicated they have both the commitment of management and the adequate funding to address these requirements.
Emerging security threats: Phishing and pharming
Phishing and pharming (luring people to disclose sensitive information by using bogus emails and websites) were two new additions to the top security threats financial institutions faced in the past year, highlighting the human factor as a new weakness in the security chain. The trend shift from external to internal attacks and tactics which exploit human behaviour vs. technological loopholes can be explained by the improved utilization of I.T. security technologies, mainly by the increased use of anti-virus solutions, Virtual Private Networks and content filtering and monitoring.
Security training and awareness has yet to top the agenda of Chief Information Security Officers (CISO), as less than half (46%) of respondents have training and awareness initiatives scheduled for the next 12 months. Training and awareness was at the bottom of the security initiatives list, far behind regulatory compliance (74%) and reporting and measurement (61%). These findings also align with financial institutions’ future investment plans in security, with the most money targeted for security tools (64%) compared to only 15% for employee awareness and training. There are very few financial institutions that have any plans for customers' security awareness.
"In an attempt to minimize the human risk factor, financial institutions have been focusing on enterprise-wide solutions,” adds Adel Melek. “With threats such as identity theft, phishing and pharming on the rise, organizations should be implementing identity management solutions, encompassing access, vulnerability, patch and security event management. These solutions should be augmented by security training and awareness if organizations are to minimize the number of human behavioural threats.”
Methodology
The Global Security Survey is based on of interviews with senior security officers from the world’s top 100 global financial institutions. The survey, conducted through face-to-face interviews and online questionnaires by the Financial Services Industry practices of DTT’s member firms, focused on senior information technology executives (Chief Security Officer, Chief Information Officer, Security Management Team, etc.) of many of the top 100 global financial services organizations. Questions related to governance, investment, value, risk, use of security technologies, quality of operations and privacy. The respondents represented public and private companies from all regions of the world including: Americas, Europe/Middle East/Africa, Asia/Pacific and Latin America.
Download the 2005 Global Security Survey.
