Internal information security attacks are out-growing external attacks at the world’s largest financial institutions, according to the 2005 Global Security Survey released today by the Financial Services Industry practices of the member firms of Deloitte Touche Tohmatsu (DTT). Thirty five percent of respondents confirmed encountering attacks from inside their organisation within the last 12 months (up from 14% in 2004) compared to 26 percent from external sources (up from 23% in 2004). The third annual Global Security Survey acts as global benchmark for DTT and its member firms for the state of I.T. security in the financial sector and consisted of interviews with senior security officers from the world’s top 100 global financial institutions.

Phishing and Pharming (luring people to disclose sensitive information by using bogus emails and websites) were two new additions to the top security threats financial institutions faced in the past year, highlighting the human factor as a new weakness in the security chain. The trend shift from external to internal attacks and tactics which exploit human behaviour vs. technological loopholes can be explained by the improved utilisation of I.T. security technologies, mainly by the increased use of anti-virus solutions (98% vs. 87% in 2004), Virtual Private Networks (79% vs. 75%) and content filtering and monitoring (76% vs. 60% in 2004).
 
“Financial institutions have made great progress in deploying technological solutions to protect themselves from direct external threats, however the rise and increased sophistication of attacks which target customers and internal attacks, indicate that there is a new threat that has to be addressed,” says Adel Melek, a partner in the Canadian member firm and Global Leader of I.T. Risk Management & Security Services within the Global Financial Services Industry. “Strong customer’s authentication, training and increased awareness can play a significant role in narrowing this gap.”

However, as survey results show, security training and awareness has yet to top the agenda of Chief Information Security Officers (CISO), as less than half (46%) of respondents have training and awareness initiatives scheduled for the next 12 months. Training and awareness was at the bottom of the security initiatives list, far behind regulatory compliance (74%) and reporting and measurement (61%). These findings also align with financial institutions’ future investment plans in security, with the most money targeted for security tools (64%) compared to only 15% for employees awareness and training. There are very few financial institutions who have any plans for customer’s security awareness.

“In an attempt to minimise the human risk factor, financial institutions have been focusing on enterprise-wide solutions.” Gerry Fitzpatrick, Enterprise Risk Services Partner at Deloitte in Dublin.  “With threats such as identity theft, phishing and pharming on the rise, organisations should be implementing identity management solutions, encompassing access, vulnerability, patch and security event management.  These solutions should be augmented by security training and awareness if organisations are to minimise the number of human behavioural threats.”

Commenting on the findings, Mary Fulton, Financial Services Partner at Deloitte in Dublin, said:

“The results of this survey show the ever increasing and changing risks that can affect any business in today’s modern technological world.  Ireland can take pride in the fact that, as part of the EMEA, the region has shown to have the highest number of financial institutions which have formulated an information security strategy (89%).  However, we would be concerned at the findings that only 36% of respondents in EMEA said that their employees have attended security awareness training programmes in the last 12 months, the lowest percentage across the globe.”

The survey is available for download from the Deloitte website at www.deloitte.com/ie/risk.

Additional Key Findings of the Survey:

• While close to half (48%) of respondents perceive lack of employee awareness as one of their top challenges, security training and awareness measurements implemented in the past 12 months declined from 77% in the previous survey to 65% this year 
• Almost three-quarters (74%) of respondents choose to outsource at least one I.T. function, but (27%) do not conduct regular assessments of the security outsourcer’s compliance with security requirements
•  While 86% of organisations with a CISO indicated that this function reports directly to the board or to the C suite, only about one-third of the organisations interviewed feel that security has been similarly recognised as a critical area of business 
•  Unrealistic timelines and budgets (56%) topped respondents’ list of common reasons for security project failures, followed by integration problems due to poor up-front design and architecture (48%) and lack of buy-in from business owners (34%)

ENDS

NOTES TO EDITOR:

Methodology
The survey, conducted through face-to-face interviews and on-line questionnaires by the Financial Services Industry practices of DTT’s member firms, focused on senior information technology executives (Chief Security Officer, Chief Information Officer, Security Management Team etc.) of many of the top 100 global financial services organisations. Questions related to governance, investment, value, risk, use of security technologies, quality of operations, and privacy.  The respondents represented public and private companies from all regions of the world including: Americas, Europe/Middle East/Africa, Asia/Pacific and Latin America.

About Deloitte

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. Deloitte Touche Tohmatsu is an organisation of member firms around the world devoted to excellence in providing professional services and advice, focused on client service through a global strategy executed locally in nearly 150 countries.

With access to the deep intellectual capital of 120,000 people worldwide, Deloitte delivers services in four professional areas-audit, tax, consulting, and financial advisory services-and serves more than one-half of the world's largest companies, as well as large national enterprises, public institutions, locally important clients, and successful, fast-growing global growth companies. Services are not provided by the Deloitte Touche Tohmatsu Verein, and, for regulatory and other reasons, certain member firms do not provide services in all four professional areas.

As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names “Deloitte,” “Deloitte & Touche,” “Deloitte Touche Tohmatsu,” or other related names.

For further information, visit our website at www.deloitte.com
 
About the Global Financial Services Industry

DTT’s Financial Services Industry practices consist of the Financial Services practices organised in the various member firms of Deloitte Touche Tohmatsu. There are dedicated Financial Services member firm practices in more than 40 countries, employing over 1,500 partners and 17,000 financial services professionals between them. For more information on DTT’s Financial Services Industry practices, visit our web site at www.deloitte.com/gfsi.

DTT’s member firms employ more than 2,500 I.T. Risk Management & Security Services professionals, with over 500 Certified Information Systems Security Professionals (CISSP) globally and over 800 Certified Information Systems Auditors (CISA).  For more information about IT Risk Management & Security Services available through the member firms of Deloitte Touch Tohmatsu, visit our website at www.deloitte.com/gfsi/itsecurityservices.