The world’s largest financial institutions reported an increase in the number of security attacks over the past year with more than three-quarters of respondents (78%, up from 26% in 2005) confirming a security breach from outside the organisation and almost half (49%, up from 35% in 2005) experiencing at least one internal breach.

These findings are revealed in the 2006 Global Security Survey released today by business advisory firm Deloitte. The fourth annual survey consisted of interviews with senior security officers from the world’s top 100 global financial institutions and acts as a global benchmark for the state of IT security in the financial sector.

Mike Maddison, Director of Security & privacy Services at Deloitte, commented: “The extent and nature of these security breaches are an indication of the criminal profile of online attackers.  The types of attack, the execution and exploitation require significant resources and coordination, which implies professional hackers and organised crime have taken over a domain once ruled by ‘script kiddies’ and one-off hackers”.

In terms of the nature of attacks experienced in the past 12 months, more than half (51%) of external attacks were attributed to phishing and pharming, followed by spyware/malwere utilisation (48%). Insider fraud accounted for (28%) and leakage of customer data (18%) were cited by respondents among the top three most common internal breaches.

The research found evidence of the financial sector taking steps to fend-off the increasing threats. This year, fighting identity theft and account fraud (58%), along with identity management (41%), made their way into the top five security initiatives for 2006. Another indication of the financial industry’s fast response to current events and emerging threats is the presence of disaster recovery and business continuity (49%) among the top five security initiatives. The importance of a business continuity plan, following the recent string of natural disasters around the globe, is reflected by the impressive proportion of organisations 81% that confirmed having an enterprise-wide business continuity management program in place.

Mike Maddison commented: “Financial institutions are experienced in responding to an ever changing security environment. They are shifting priorities and starting to take necessary measures to mitigate the various security risks and challenges. However, whilst it is only natural to shift focus to the most high profile or new and emerging threats, it is apparent that organisations must continue to maintain a balanced, and strategic approach to their security operations and initiatives.”

Interestingly, security awareness and training dropped off the top five list of initiatives from the previous survey. While 96% of respondents were concerned about employee misconduct involving IT systems, only a third (34%) have provided their staff with some form of information security and privacy training over the past year. The most common medium financial institutions use for security training and awareness are web page alerts and emails (63%). Other, perhaps more effective methods, such as orientation training (35%) and recognition of exemplary behaviour (9%), ranked low in utilisation.

Additional key findings of the survey:

• Ninety-five percent of participants indicated their information security budget grew over the past year. Logical access control products topped the list of security budget spending (76% of respondents).
• Almost three-quarters (72%) of financial institutions who experienced a security breach indicated the estimated amount of damage for the organisation, including direct and indirect costs, was in the range of $1 million (U.S.).
• While the number of respondents with a Chief Information Security Officer (CISO), dropped by 6% compared to last year (75% vs. 81%), the life span of the position continues to grow with 22% having been in the position from six to 10 years, up from 13% in 2005.
• Two-thirds (65%) of respondents confirmed having a program to manage privacy, down by 3% from last year.  

Regional Highlights

Europe, Middle East and Africa (EMEA): This year, the EMEA region was ranked as best in class when it comes to the appointment of a Chief Information Security Officer (CISO). The region has the highest percentage (91%) of financial institutions with a CISO in place. While EMEA also holds steady in other information security parameters compared to the rest of the world, it falls behind on employee training and awareness with only 41% of financial institutions confirming the provision of security guidance to their staff, compared to the global average (49%).

Asia Pacific excluding Japan (APAC): APAC was among the leading regions in the implementation of enterprise-wide business continuity management programs and managing privacy compliance (92% and 85%, respectively), likely as a result of the recent natural disasters that have struck the region. However, in other areas of information security, such as appointing a CISO (23%) and possessing a security strategy (33%), the region is lagging behind the rest of the world. Furthermore, all respondents from the APAC region confirm encountering at least one information security breach over the past year.

Japan: Japanese respondents came out on top this year, taking the lead in eight different categories, including possessing a security strategy (93%), providing employee training and awareness sessions (90%), appointing an executive responsible for privacy (100%) and having a program for managing privacy compliance (100%). Financial institutions in Japan also reported the lowest level of security breaches (32%).

United States: For the first time since the survey’s inception, all U.S. respondents confirmed having a business continuity program in place. This does not come as a surprise considering the aftermath of hurricane Katrina which wrecked havoc in the country, acting as a wake up call for the financial industry. While three-quarters (74%) of the financial institutions in this region formulated an information security strategy, only 71% feel that it is getting the management buy-in required. This year, 91% of U.S. respondents, which is above the 82% global average, confirmed experiencing some form of security breach.

Canada: Canada is second in class to Japan, leading the pack in six categories with all respondents (100%) confirming an enterprise-wide business continuity management program, as well as having a program to mange privacy compliance (100%), which is headed by a designated executive (100%). Canada also ranked as the top region in C-suite acknowledgment of security as a critical area to business (64%), providing the commitment and funding to address regulatory requirements (91%). On the other end of the spectrum, this region has the highest number of financial institutions (100%) that have encountered security breaches in 2005, and are among the lowest percentage of organizations (55%) to have provided security related education to employees.

Latin America and the Caribbean (LACRO): For the second consecutive year, respondents from LACRO region do not appear to be overly concerned by privacy issues, evident from the bottom of the class ranking in areas such as having a program to mange privacy (25%) headed by an executive (26%), having a business contingency plan (67%), or appointing a CISO (57%). On the flip side, the majority (90%) of respondents believe they have the adequate commitment and funding to address regulatory issues.  
 
Methodology

The survey, conducted via face-to-face interviews and on-line questionnaires by Deloitte’s Global Financial Services Industry practice, focused on senior information technology executives (Chief Security Officer, Chief Information Officer, security management team, etc.) of the top 100 global financial services organizations. Questions were related to governance, investment in security, risk, use of security technologies, quality of operations and privacy. The respondents represented public and private organizations from all continents, divided into five regions including: Europe, the Middle East and Africa (EMEA), Asia Pacific (APAC), Japan, USA, Canada, Latin America and the Caribbean (LACRO). Due to the diverse focus of institutions surveyed and the qualitative format of the research, some results may not be representative of each identified region.

Ends

About Deloitte
In this press release references to Deloitte are references to Deloitte & Touche LLP which is among the country’s leading professional services firms, providing audit, tax, consulting and corporate finance services. Known as an employer of choice for innovative human resources programmes, it is dedicated to helping its clients and its people excel.

Deloitte & Touche LLP is the United Kingdom member firm of Deloitte Touche Tohmatsu (‘DTT’), a Swiss Verein whose member firms are separate and independent legal entities. Neither DTT nor any of its member firms has any liability for each other’s acts or omissions. Services are provided by member firms or their subsidiaries and not by DTT.

Deloitte & Touche LLP is authorised and regulated by the Financial Services Authority.

The information contained in this press release is correct at the time of going to press.