Internal security breaches have overtaken external IT attacks as the biggest threat to financial institutions as hackers switch their focus from technology to people – according to Deloitte’s 2005 Global Security Survey.

A survey of senior security officers at the top 100 financial institutions found less than a third (28%) of respondents experienced an IT security breach in the past 12 months. This compares to 83% in 2004.  While the number of attacks receded overall, the extent of internal breaches more than doubled with 35% of respondents encountering attacks from the inside within the last 12 months, compared to only 14% the year before.

Mike Maddison, Director of Security Services at Deloitte, commented: “Financial institutions have dramatically reduced the number of external attacks by protecting themselves with IT solutions such as anti virus software and content filtering, particularly at the perimeter of their networks. 

There has been an emphasis for some time on the never ending battle to secure the corporate perimeter. As a result technological loopholes are being closed, but the hackers’ tactics have now shifted towards manipulating human behaviour as we’ve seen from the explosion in phishing attacks."

Luring people to disclose sensitive information through Phishing and Pharming techniques, which use bogus emails and websites, have quickly become among of the top security threats for financial institutions.

Mike Maddison said: “Hackers will always migrate to the weakest link in the security chain.  People are now the point of weakness and financial institutions will have to change their focus in the same way that the hackers have.

The massive growth in phishing attacks demands greater customer awareness on security issues.  Banks have to consider introducing new, customer-focused measures to tackle this threat.”

Security awareness for internal staff is also a good way to tackle the growing insider threat. Despite the increasingly urgent need for increased security training and awareness, this seems to be at the bottom of the agenda for Chief Information Security Officers (CISO).  Currently 65% of organisations have trained their employees on how to identify and report suspicious activity but only 6% of respondents do this as part of the new staff induction process.  Less than half (46% of respondents) have training and awareness initiatives scheduled for the next 12 months.

The survey highlighted that most of the respondents security budget was targeted on security tools (64%) compared to only 15% for employee awareness and training.  Very few financial institutions have plans for increasing customer security awareness. The main emphasis in the coming year will remain on compliance focused initiatives.

Mike Maddison says “Reporting requirements under Sarbanes-Oxley legislation have placed an emphasis on basic security measures such as managing user access to systems and the segregation of duties, and this is proving to be a driving force behind the tightening of security.”

Key findings of the survey include:

• Anti-virus solutions are now used by 98% of respondents (87% in 2004), and use of Virtual Private Networks (79% compared to 75% in 2004) and content filtering and monitoring (76% up from 60% in 2004) have also increased.
• While close to half (48%) of respondents perceive lack of employee awareness as one of their top challenges, security training and awareness measurements implemented in the past 12 months declined from 77% in the previous survey to 65% this year. 
• Almost three-quarters (74%) of respondents choose to outsource at least one IT function, but 27% do not conduct regular assessments of the security outsourcer’s compliance with security requirements.

Regional Differences

Europe, Middle East and Africa (EMEA)
According to the survey EMEA has the highest number of financial institutions which have formulated an information security strategy (89%), greater than any other region. EMEA has also the highest rate (83%) of adoption of security standards such as ISO 17799.

Asia Pacific (APAC)
APAC has the highest number of respondents (42%) indicating that security is recognized at the C suite and board level as being critical to the business. For the second year, the region also maintained its lead with almost three quarter (72%) of respondents having their employees receive awareness and training on security and privacy. 

Latin America and the Caribbean
Eighty-six percent of respondents in this region have not implemented a program for managing privacy compliance. Additionally, close to 100% did not perform an inventory of personal information and only slightly more than half (57%) tracked loss of data.

Canada
Half of Canadian respondents acknowledged that they have experienced some form of information security breach – the highest rate of all regions. On the flip side, with privacy and Sarbanes-Oxley compliance driving regulatory initiatives in Canada, the majority of respondents (78%) indicated they have both the commitment of management and the adequate funding to address these requirements.

United States
Eighty three percent of U.S. CISOs interviewed confirmed they have adequate funding and commitment to meet regulatory requirements, the highest rate among all regions. Financial institutions in the U.S. also lead the pack with the highest percentage of organizations (76%) who delivered at least one security awareness and training session to employees in the past 12 months.

Ends

Notes to editors

Methodology
The survey, conducted by Deloitte through face-to-face interviews and on-line questionnaires, focused on senior information technology executives (Chief Security Officer, Chief Information Officer, Security Management Team etc.) of many of the top 100 global financial services organizations. Questions related to governance, investment, value, risk, use of security technologies, quality of operations, and privacy.  The respondents represented public and private companies from all regions of the world.

About Deloitte
In this press release references to Deloitte are references to Deloitte & Touche LLP.

Deloitte & Touche LLP is the UK's fastest growing major business advisory firm based in 21 UK locations, with over 10,000 staff nationwide and fee income of £1,246 million in 2003/2004. It is a member firm of Deloitte Touche Tohmatsu, a leading professional services organisation, delivering world class audit, tax, consulting and corporate finance services, with around 120,000 people in over 140 countries. Deloitte Touche Tohmatsu is a Swiss Verein, and each of its national practices is a separate and independent legal entity.

Deloitte & Touche LLP is authorised and regulated by the Financial Services Authority.

The information contained in this press release is correct at the time of going to press. For further information, visit our website at:
www.deloitte.com/uk/informationsecurity