Global Security Survey 2007 - Financial Services - Security & Privacy - IT

Contact: Chris Patterson
Deloitte Touche Tohmatsu
+1 212 436 2779

New York, September 18, 2007 — While information security incidents continue to grab the attention of business executives, "ownership" of the underlying problems is still perceived to rest with IT, according to a new Deloitte Touche Tohmatsu (DTT) survey. Less than two-thirds (63 percent) of respondents to DTT’s 2007 Global Security Survey have an information security strategy. Only 10 percent of this year's respondents have their information security led by business line leaders. These findings support an emerging security paradox: the gap between awareness of the problem and support for the solution.

The survey also revealed that the greatest root cause of external breaches continues to be the "human factor": an organization's employees, customers, third parties and business partners.

"The contradictory findings in this year's survey highlight the security paradox financial institutions are facing," says Adel Melek, DTT's Global Leader of IT Risk Management and Security Services, Global Financial Services Industry (GFSI) Group. "On the one hand, it is clear that respondents have identified the major security issues and the necessary actions they must take to improve security and privacy practices. On the other hand many financial institutions are falling behind when it comes to taking action."

One of the elements most worrisome for organizations when it comes to breaches is customers. The DTT survey found that the top three breaches (those that were repeated the greatest number of times) were viruses and worms, email attacks (e.g. spam) and phishing/pharming. All of these breaches are perpetrated via the customer, e.g. customers as unwitting providers of sensitive information and conduits into financial institutions. But even though financial institutions are directly affected by these types of breaches, they are still reluctant to take responsibility for the security of their customers' computers, most likely because of the enormity of such an undertaking. When asked whether they should be held accountable for protecting the computers of their customers who do online business with them, two-thirds of respondents (66 percent) replied that they should not.

In addition to breaches perpetrated through the customer channel, the DTT survey reveals that a high number of repeated occurrences of breaches can be attributed to employees through both misconduct (intentional action) and errors and omissions (unintentional action). An overwhelming majority of respondents (91 percent) are concerned about employees and cite the human factor as the root cause for information security failures (79 percent).

But while employee errors and omissions are identified as a major security issue, almost a quarter (22 percent) of respondents provided no employee security training over the past year and only one-third of respondents (30 percent) say their staff is well skilled with adequate competencies to respond to security needs.

"Despite these gaps, identifying the problem is at least half the battle and so financial institutions are definitely moving in the right direction to close these gaps," adds Melek. "Security training and awareness, along with access and identity management of employees, clients and suppliers and data protection are among organizations' top initiatives this year as they fight to keep pace with the ever-changing threat landscape."

Additional key findings of the survey:

Email attacks top the list of external security breaches financial institutions experienced over the past 12 months (57 percent).
Two-thirds (66 percent) of respondents do not feel they should be accountable for protecting the computer of customers who bank on-line.
Virtually all respondents (98 percent) indicate increased security budgets, but 35 percent feel that their investment in information security is lagging behind business needs.
"Shifting priorities" and "integration problems" were identified as top reasons for information security projects failure (48 percent and 32 percent, respectively).

Regional Highlights

Europe, Middle East and Africa (EMEA): The EMEA region has the highest percentage of respondents (39 percent) among all regions who feel they presently have both the required skills and competencies to respond effectively and efficiently to current and foreseeable security requirements. Additionally, the majority of participants (82 percent) feel that security has risen to the C-suite or board level, with more than three-quarters (77 percent) believing they have both the commitment and funding to address regulatory compliance. With regards to security breaches, the percentage of institutions in EMEA that experienced security breaches both internally (31 percent) and externally (71 percent) is above the global averages of 30 percent and 65 percent, respectively.

Commonwealth of Independent States — former Soviet Republics (CIS): This new region, added to the survey in 2007 and consisting of 11 former Soviet Republics, holds the first spot when it comes to experiencing external security breaches. Sixty-three percent of respondents from CIS confirmed encountering an external attack (compared to 65 percent globally). However, this region is second only to Japan with the lowest percentage of respondents who experienced an internal security breach (38 percent) over the past year. The CIS region also shares first place with Japan with the number of respondents confirming their organization possesses a security strategy (75 percent).

Asia Pacific excluding Japan (APAC): More than three-quarters (78 percent) of respondents in the APAC region indicated that security has risen to the C-suite or board level as a critical area of business. Almost the same percentage of financial institutions (62 percent) also confirmed they already have a security strategy in place, as well as the commitment and funding to address regulatory requirements. But at the same time, only seven percent of participants, the lowest level among all regions, felt they presently have the required skills and competencies to effectively handle existing and foreseeable security requirements.

Japan: Although Japan relinquishes its leadership in a number of key security and privacy categories this year, the region still leads the pack on a global basis in four areas: the possession of security strategy (75 percent of respondents); having an executive responsible for privacy (100 percent); and experiencing the lowest level of external (35 percent) and internal (13 percent) security breaches. However, according to the survey, financial institutions in Japan are lagging behind their global peers when it comes to linking security to IT employee appraisals (40 percent versus 50 percent globally) and feeling that security is considered a critical area of business by senior executives and board members (71 percent of respondents).

United States: The United States leads all regions on the majority of security issues, including number of respondents who confirmed security is top of mind among C-suite and directors as a critical area of business (89 percent); organizational commitment and necessary funding to address regulatory requirements (80 percent); linking security to IT staff appraisals (70 percent); and providing employees with at least one security training and awareness session over the past year (95 percent). At the same time, the United States also has the highest level (35 percent) of financial institution respondents that experienced at least one internal security breach over the past 12 months.

Canada: Canada is among the best in the world in managing privacy, with a significant majority (91 percent) of respondents confirming the existence of an executive responsible for privacy and 80 percent having a program to manage privacy compliance. However, Canada lags behind the rest of the world with the lowest percentage of respondents who feel they have both commitment and funding to address regulatory requirements (50 percent). The region also has the lowest percentage of financial institutions possessing a security strategy (27 percent), with none of the respondents believing their organization’s information security strategy is led and embraced by line and functional business leaders.

Latin America and the Caribbean (LACRO): As in the past two years, financial institutions in the LACRO region do not appear to be concerned about privacy issues as evidenced by the lowest percentage of respondents with a program for managing privacy compliance (31 percent) or an executive responsible for privacy (30 percent). The region also ranks at the bottom in providing employee training and awareness sessions over the past year (61 percent). On the positive side, the region has among the highest percentage of financial institutions that possess a security strategy (68 percent), including a large majority of respondents (88 percent) who feel security has risen to senior ranks as a critical area of business.

Methodology
The survey, conducted via face-to-face interviews and on-line questionnaires by DTT’s Global Financial Services Industry (GFSI) group, focused on senior information technology executives (Chief Security Officer, Chief Information Officer, security management team, etc.) at many of the top 100 global financial services organizations. Questions related to governance, investment in security, risk, use of security technologies, quality of operations and privacy. The respondents represented public and private organizations from all continents, divided into five regions including: Europe, the Middle East and Africa (EMEA), Commonwealth of Independent States (CIS), Asia Pacific (APAC), North America (NA), Latin America and the Caribbean (LACRO). Due to the diverse focus of institutions surveyed and the qualitative format of the research, some results may not be representative of each identified region.

About the Global Financial Services Industry
DTT’s Global Financial Services Industry (GFSI) practice consists of the Financial Services practices organized in the various member firms of DTT. There are dedicated Financial Services member firm practices in more than 40 countries, employing a total of more than 1,500 partners and 17,000 financial services professionals.

GFSI has a specific focus on the banking, securities, insurance and asset management sectors of the financial services industry. GFSI continually assesses market and industry trends, and helps member firm practices develop specialized services that are tailored to meet their clients’ needs, such as actuarial services, capital markets, risk management and regulatory consulting.

About Deloitte
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein (association), its member firms, and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organization of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 140 countries. With access to the deep intellectual capital of approximately 150,000 people worldwide, Deloitte delivers services in four professional areas—audit, tax, consulting, and financial advisory services—and serves more than 80 percent of the world’s largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global companies. Services are not provided by the Deloitte Touche Tohmatsu Verein, and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas.

As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other’s acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other related names.