Economic Crisis Heightens Security Risks at Financial Institutions, Deloitte Survey Reveals
Human error the leading cause for security failures in companies
Contact: Lakis Koutsokoumnis
Marketing & Communications Manager
+ 357 25 86 88 98
The global economic crisis hitting the financial services sector is also fuelling a growing information security risk. According to the latest Deloitte Global Financial Services Industry (GFSI) Security Survey 2008, security attacks that exploit human error and breaches caused by distracted or disgruntled employees are likely to be the root cause of information security failures in coming months. The majority (86%) of respondents confirm that human error is the leading cause of information systems failure. This finding recognises that, while people are an organisation's greatest asset, they are also its weakest link, particularly in hard economic times when job insecurity and increased stress levels may lead employees to behave in atypical ways.
The Deloitte GFSI survey, based on interviews with senior security officers from the world's top 100 global financial institutions, is seen by many as a global benchmark for the state of IT security and privacy in the financial sector.
While both internal and external security breaches at financial institutions worldwide have fallen over the past 12 months, employee misconduct is a growing concern for these organisations. More than a third (36%) of respondents express concern about insiders' misconduct, compared to only 13 per cent who are concerned about external exploits. Furthermore, six in ten (58%) of survey participants feel 'not very'/'only somewhat' confident in their ability to protect their organisation from internal cyber-attacks.
The growing popularity of social networks and the proliferation of mobile media such as USB keys, MP3 players and PDAs all cause an extra load on internal and external security. Interestingly, more than half of financial institutions surveyed now restrict the use of social networks and instant messaging (53% and 58% respectively), yet 90 per cent allow employees to use mobile devices. Mobile devices almost certainly contribute to greater productivity. However, they also present opportunities for unauthorised download and storage of confidential information in a potentially unprotected medium-an ideal environment for data leakage or data loss. It is alarming to observe that only 55% of the financial services organisations surveyed have fully deployed encryption within their organisations. Further, less than third (28%) have data "at rest" encryption or Information leakage and insider threat detection tools deployed. The good news is that 32% of respondents plan to deploy insider threat detection tools over the coming 12 months.
Phishing and pharming are cited by respondents (46%) as causing one of the highest levels of concern. Phishing and pharming rank as the leading types of external breaches experienced by respondents (22%).
"Financial institutions are facing a battle on two fronts in their efforts to protect consumers' personal information," says Colm McDonnell, Enterprise Risk Services Partner, Deloitte Ireland. "On one front is the growing sophistication of attacks and the magnitude and frequency of data losses and breaches of customer information. On the other front is the growing regulatory expectations in a challenging economic environment and the layoffs that result in a distracted or insecure workforce and disgruntled former employees. Based on these findings, we would certainly encourage Irish organisations to be extra vigilant in protecting their data, and implementing checks and measures to reduce the potential for, and impact of, security failures. As we enter unchartered territory in our economy, organisations may become more exposed as individuals themselves come under increasing pressure."
The pressure financial institutions are now facing to reduce costs also adds to the heightened information security threat. While 60 per cent of respondents confirm that their information security budgets have increased, these increases do not keep pace with the current security challenges and needs. More than half (56%) of respondents say that budgetary constraints and/or lack of resources are the leading barriers to ensuring information security, while 'lack of resources' (33%) is identified as the leading cause of information security projects failure. Additionally, an increasing number of respondents (15% vs. 13% in 2007) acknowledge that expenditure on information security is falling behind.
"As the financial crisis continues to bite deep, organisations may look to save money by cutting IT budgets and reducing spending on security infrastructure," says McDonnell. "But as tempting as this may be, now is not the time to cut security protection costs. If the guard is lowered, there will be people waiting to exploit any weaknesses resulting from such 'cost-saving' measures. Now, more than ever, financial institutions should maintain their investment in, and focus on, security."
The survey shows that the EMEA (Europe, Middle East and Africa) has the highest percentage of respondents who feel they have the required competencies to handle current and future security requirements (41%). However, half of all financial institutions surveyed in this region (49%) experienced repeated external breaches in 2008. Only two thirds (64%) - the second lowest rank globally - confirm they had provided their employees with at least one information security training session during 2008. Additionally, just over half (56%) of survey participants in this region feel they have the necessary organisational commitment and funding to address regulatory requirements.
Additional findings of the survey:
- Financial institutions' top three information security priorities are: security regulatory compliance and, tied in second place, access and identity management and data protection and information leakage
- During 2008, financial institutions saw a decline in the number of both external (47% vs. 65% in 2007) and internal (27% vs. 30% in 2007) security breaches
- The leading drivers for financial institutions to protect the privacy of their clients are privacy regulatory requirements (79%) followed by reputation and brand concerns (70%).
The survey was conducted by DTT's Global Financial Services Industry (GFSI) group using face-to-face interviews and on-line questionnaires. The survey sample was comprised of senior information technology executives (Chief Security Officer, Chief Information Officer, security management team, etc.) at many of the top 100 global financial institutions from the banking, insurance, securities and asset management sectors. Questions covered areas such as governance, investment in security, risk, use of security technologies, quality of operations and privacy. The respondents represented public and private organisations from 32 countries, divided into five regions: Europe, the Middle East and Africa (EMEA); Japan; Asia Pacific (APAC); North America (NA), and Latin America and the Caribbean (LACRO). Due to the diverse focus of institutions surveyed and the qualitative format of the research, some results may not total 100% or be representative of each identified region.
The information contained in this press release is correct at the time of going to press.