• Biggest cause of banking security breaches is the human factor;
• 65% of financial services organisations report external security breaches;
• Almost a third (31%) report security breaches by employees;
• 98% report that investment in information security continues to rise as a result of increasing board level focus.

Financial institutions continue to face significant challenges addressing security breaches, according to a new survey of financial services companies by Deloitte, the business advisory firm. The security problems plaguing banks most are viruses and worms, email attacks such as spam, and those attacks focused directly on the customer.

Customers continue to be a target of choice and source of security concerns, as breaches due to poor awareness resulting in not having the right protection in place allows their PCs to be compromised. Customers are seen as a direct route to financial gain with banks facing a continued battle against the growing sophistication of attacks via identity theft.

In addition to breaches perpetrated through the customer channel, Deloitte’s research reveals that a high number of breaches can be attributed to employees: both through misconduct (intentional action) and errors and omissions (unintentional action). The overwhelming majority of financial services organisations (91%) are concerned about the risks arising internally.

Although errors and omissions by employees are identified as a major factor contributing to ongoing security failures, almost a quarter (22%) of respondents provided no employee security training over the past year and only one-third of respondents (30%) say their staff is well skilled with adequate competencies to respond to security needs.

Mike Maddison, UK Head of Security & Privacy Services, commented: "You can have the best technical systems in place but they are unlikely to operate effectively unless you educate people on their obligations and how to fulfil them."

Surprisingly, when compliance and legislation are such drivers, less than two thirds (63%) of the banks responding to Deloitte’s global security survey have an information security strategy in place, and only one in ten of this year’s respondents have their information security led by business line leaders. These findings highlight an emerging security paradox: the gap between awareness of the problem and support for the solution. Security incidents continue to grab business executives’ attention but "ownership" of the underlying problems is still perceived to rest with IT departments.

Maddison added: "The contradictory findings in this year’s survey highlight the ongoing security challenge financial institutions are facing. On the one hand, it is clear that senior executives know there are actions they must take to improve security to protect their customers’ data for very good business reasons. On the other hand when it comes to taking action it once again becomes a technical problem. Despite these challenges, knowing that the problem exists is at least half the battle, so financial institutions are definitely moving in the right direction."

Security training and awareness, along with access and identity management of employees, clients and suppliers, and data protection are among organisations’ top initiatives this year.

Virtually all the organisations surveyed (98%) indicate increased security budgets, but 35% feel that investment in information security is lagging behind business needs. The banks identify "shifting priorities" (48%) and "integration problems" (32%) as the top reasons for information security project failures.

Read the full report on the Deloitte 2007 Global Financial Services Security Survey.

Notes to editors:

About the 2007 Global Financial Services Security Survey

The survey, conducted via face-to-face interviews and online questionnaires by DTT’s Global Financial Services Industry (GFSI) group, focused on senior information technology executives (Chief Security Officer, Chief Information Officer, security management team, etc.) at many of the top 100 global financial services organisations. Questions related to governance, investment in security, risk, use of security technologies, quality of operations and privacy. The respondents represented public and private organisations from all continents, divided into five regions including: Europe, the Middle East and Africa (EMEA), Commonwealth of Independent States (CIS), Asia Pacific (APAC), North America (NA), Latin America and the Caribbean (LACRO). Due to the diverse focus of institutions surveyed and the qualitative format of the research, some results may not be representative of each identified region.

About Deloitte

In this press release references to Deloitte are references to Deloitte & Touche LLP, which is among the country's leading professional services firms. Deloitte & Touche is the United Kingdom member firm of Deloitte Touche Tohmatsu ("DTT"), a Swiss Verein whose member firms are separate and independent legal entities. Neither DTT nor any of its member firms has any liability for each other's acts or omissions. Services are provided by member firms or their subsidiaries and not by DTT. Deloitte & Touche LLP is authorised and regulated by the Financial Services Authority.

The information contained in this press release is correct at the time of going to press.