Internal attacks on information technology systems are surpassing external attacks at the world’s largest financial institutions, according to the 2005 Global Security Survey released by the Financial Services Industry practices of the member firms of Deloitte Touche Tohmatsu (DTT). Thirty-five (35) percent of respondents confirmed encountering attacks from inside their organization within the last 12 months (up from 14 percent in 2004) compared to 26 percent from external sources (up from 23 percent in 2004).

The third annual Global Security Survey acts as global benchmark for DTT and its member firms for the state of IT security in the financial sector and consisted of interviews with senior security officers from the world’s top 100 global financial institutions.

Phishing and pharming (luring people to disclose sensitive information by using bogus emails and websites) are two new additions to the top security threats financial institutions faced in the past year, underscoring the human factor as a new and growing weakness in the security chain. The trend shift from external to internal attacks and tactics that exploit human behaviour vs. technological loopholes is explained by the improved utilization of IT security technologies, mainly by the increased use of anti-virus solutions (98 percent vs. 87 percent in 2004), Virtual Private Networks (79 percent vs. 75 percent) and content filtering and monitoring (76 percent vs. 60 percent in 2004).

As survey results show, security training and awareness have yet to top the agenda of Chief Information Security Officers (CISO), as less than half (46 percent) of respondents have training and awareness initiatives scheduled for the next 12 months. Training and awareness was at the bottom of the security initiatives list, far behind regulatory compliance (74 percent) and reporting and measurement (61 percent). These findings also align with financial institutions’ future investment plans in security, with the most money targeted for security tools (64 percent), compared to only 15 percent for employee awareness and training.

There are very few financial institutions that have any plans for customer security awareness.

Regional Differences:

Europe, Middle East and Africa (EMEA)
According to the survey, EMEA has the highest number of financial institutions that have formulated an information security strategy (89 percent), greater than any other region. EMEA has also the highest rate (83 percent) of adoption of security standards such as ISO 17799.

Asia Pacific (APAC)
APAC has the highest number of respondents (42 percent) indicating that security is recognized at the C-suite and board level as being critical to the business. For the second year, the region also maintained its lead with almost three quarters (72 percent) of respondents having their employees receive awareness and training on security and privacy.

Latin America and the Caribbean
Eighty-six (86) percent of respondents from this region have not implemented a program for managing privacy compliance. Additionally, close to 100 percent did not perform an inventory of personal information and only slightly more than half (57 percent) tracked loss of data.

Canada
Half of Canadian respondents acknowledged that they have experienced some form of information security breach – the highest rate of all regions. On the flip side, with privacy and Sarbanes-Oxley compliance driving regulatory initiatives in Canada, the majority of respondents (78 percent) indicated they have both the commitment of management and the adequate funding to address these requirements.

United States
Eighty-three (83) percent of U.S. CISOs interviewed confirmed they have adequate funding and commitment to meet regulatory requirements, the highest rate among all regions. Financial institutions in the U.S. also lead the pack with the highest percentage of organizations (76 percent) who delivered at least one security awareness and training session to employees in the past 12 months.

Additional Key Findings of the Survey:

• While close to half (48 percent) of respondents perceive lack of employee awareness as one of their top challenges, security training and awareness measurements implemented in the past 12 months declined from 77 percent in the previous survey to 65 percent this year.
• Almost three-quarters (74 percent) of respondents outsource at least one IT function, but (27 percent) do not conduct regular assessments of the security outsourcer’s compliance with security requirements.
• While 86 percent of organizations with a CISO indicated that this function reports directly to the board or to the C-suite, only about one-third of the organizations interviewed feel that security has been similarly recognized as a critical area of business.
• Unrealistic timelines and budgets (56 percent) topped respondents’ list of common reasons for security project failures, followed by integration problems due to poor up-front design and architecture (48 percent) and lack of buy-in from business owners (34 percent). 

Methodology
The survey, conducted through face-to-face interviews and on-line questionnaires by the Financial Services Industry practices of DTT’s member firms, focused on senior information technology executives (Chief Security Officer, Chief Information Officer, Security Management Team, etc.) of many of the top 100 global financial services organizations. Questions related to governance, investment, value, risk, use of security technologies, quality of operations and privacy.  The respondents represented public and private companies from all regions of the world including: Americas, Europe/Middle East/Africa, Asia/Pacific and Latin America.