Toronto, June 13, 2006 — The world's largest financial institutions experienced a surge in the number of security attacks over the past year, specifically from external sources. More than three-quarters (78 percent, up from 26 percent in 2005) of respondents confirmed a security breach from outside the organization and almost half (49 percent , up from 35 percent  in 2005) experienced at least one internal breach. Canada was not exempt from this trend with all of the Canadian respondents confirming they encountered security breaches over the past year. These findings are drawn from the 2006 Global Security Survey released today by the Financial Services Industry practices of the member firms of Deloitte Touche Tohmatsu (DTT). The fourth annual survey consisted of interviews with senior security officers from the world's top global financial institutions and acts as a global benchmark for the state of IT security and privacy in the financial services sector.

Two out of the top three most common attacks experienced by the global financial industry, both externally and internally, were deployed to extort some form of monetary gain. Phishing and pharming attributed for more than half (51 percent) of external attacks, followed by spyware/malware utilization (48 percent ). Insider fraud (28%) and leakage of customer data (18 percent ) were cited by respondents among the top three most common internal breaches.     

"The extent and nature of these security breaches signal a new reality for the global financial industry, including Canada. Execution and exploitation of these attacks require significant resources and coordination, which implies professional hackers and organized crime have entered the domain once ruled by 'script kiddies' and one-off hackers," says Adel Melek, Partner with Deloitte Canada and Global Leader of Security & Privacy Services. "This shifting trend means organizations not only face more sophisticated and hard to track attacks, but are also challenged by increased risk and potential loss. Financial institutions should take these factors into account in their overall security strategy."

The shift to a more sinister criminal profile of online attackers and the potential risk they represent did not go unnoticed by the financial services sector, with evidence that they have started taking steps to fend off these threats. This year, identity theft and account fraud (58 percent), along with identity & access management (41 percent), made their way into the top five security initiatives for 2006.

Another indication of the financial industry's fast response to current events and emerging threats is the presence of disaster recovery and business continuity (49%) among the top five security initiatives. The importance of a business continuity plan, following the recent string of natural disasters around the globe, is reflected by the impressive proportion of organizations (88 percent) that confirmed having an enterprise-wide business continuity management program in place.

Interestingly, security awareness and training is one of the initiatives that dropped off the top five list from the previous survey. While 96 percent of respondents were concerned about employee misconduct involving IT systems, only a third (34 percent) have provided their staff with some form of information security and privacy training over the past year. The most common medium financial institutions use for security training and awareness are web page alerts and emails (63 percent). Other, perhaps more effective methods, such as orientation training (35 percent) and recognition of exemplary behaviour (9 percent), ranked low in utilization.

Canadian Highlights:
On a global comparison, Canadian respondents ranked second only to Japan, leading the pack in six categories with all respondents (100 percent) confirming an enterprise-wide business continuity management program, as well as having a program to manage privacy compliance (100 percent ), which is headed by a designated executive (100 percent). Canada also ranked as the top region in C-suite acknowledgment of security as a critical area to business (64 percent), providing the commitment and funding to address regulatory requirements (91 percent).  On the other end of the spectrum, Canada has one of the lowest proportionate security budgets of the IT spend, particularly as compared to Western mature markets such as the U.S. and the U.K., and has among the lowest percentage of organizations (55 percent) to have provided security-related education to employees. This finding though may be attributed to many Canadian financial institutions having provided such training last year.  It is important however to recognize that such training is most beneficial when provided annually, particularly as most Canadian financial institutions experience a turn over of double digit percentage particularly in the retail operations. 

"Deloitte's survey indicates that while all the surveyed Canadian financial institutions experienced security breaches, the good news is that proportionately to the size of their operations in Canada, these breaches don't constitute an alarming situation. It is also noteworthy that Canada leads the pack globally in many categories of security management," adds Adel Melek. "The survey also concludes that financial institutions are attentive to the fast-paced and changing security environment. They are shifting priorities and are taking the necessary measures to mitigate the various security risks and challenges. While it is only natural to shift focus to the most imminent, emerging threats, organizations should avoid being blindsided and must strive to maintain a balanced, more holistic approach to their security operations and initiatives."

Additional key findings of the survey:

• Ninety five percent of participants indicated their information security budget grew over the past year. Logical access control products topped the list of security budget spending (76 percent of respondents).
• Almost three-quarters (72 percent) of financial institutions that experienced security breaches indicated the estimated amount of damage for the organization, including direct and indirect costs, was in the range of $1 million (U.S.).
• This year, 71 percent of respondents indicated that they have a defined information security governance structure (e.g. defined responsibilities, policies and procedures) while 24 percent are in the process of establishing one.
• The number of financial institutions that have formulated an information security strategy has declined to 61 percent , while another 21 percent indicate that they are in the process of formulating or refreshing one for their organization.
• Two-thirds (65 percent) of respondents confirmed having a program to manage privacy, down by 3 percent from last year.

Methodology
The survey, conducted via face-to-face interviews and on-line questionnaires by Deloitte's Global Financial Services Industry practice, focused on senior information technology executives (Chief Security Officer, Chief Information Officer, security management team, etc.) of the top 100 global financial services organizations. Questions were related to governance, investment in security, risk, use of security technologies, quality of operations and privacy. The respondents represented public and private organizations from all continents, divided into five regions including: Europe, the Middle East and Africa (EMEA), Asia Pacific (APAC), Japan, USA, Canada, Latin America and the Caribbean (LACRO). Due to the diverse focus of institutions surveyed and the qualitative format of the research, some results may not be representative of each identified region.

About the Global Financial Services Industry
Deloitte Touche Tohmatsu's Global Financial Services Industry group consist of the Financial Services practices organized in the various Deloitte member firms. There are dedicated Financial Services member firm practices in more than 40 countries, employing over 1,500 partners and 17,500 financial services professionals between them. For more information on the Global Financial Services Industry group, visit www.deloitte.com/gfsi.

About the Security & Privacy Services
Deloitte member firm Security and Privacy Services professionals are positioned to design, develop and implement industry-leading information security solutions for businesses. Deloitte member firm services include security management, vulnerability management, identity management, application & data security, privacy & confidentiality and business continuity Management. Deloitte member firms offer knowledge and experience combined with national coverage and global reach. Combined member firm resources include over 600 Certified Information Systems Security Professionals (CISSPs) and access to technology solution sets developed through various long standing Deloitte Touche Tohmatsu and Deloitte member firm vendor alliances.

About Deloitte
Deloitte, one of Canada's leading professional services firms, provides audit, tax, consulting, and financial advisory services through more than 6,200 people in 50 offices. Deloitte operates in Québec as Samson Bélair/Deloitte & Touche s.e.n.c.r.l. The firm is dedicated to helping its clients and its people excel. Deloitte is the Canadian member firm of Deloitte Touche Tohmatsu.

Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms, and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names "Deloitte," "Deloitte & Touche," "Deloitte Touche Tohmatsu," or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein.