The State of Banking Information Security 2008

Exclusive Survey Uncovers Disconnect in Efforts to Manage Vendors, Educate Customers

By , February 4, 2008.
The State of Banking Information Security 2008


See Also: Data Breach Battle Plans for Financial Services

f there's one single notion common to financial institutions of all sizes, it is confidence -the need to have shared trust with employees, partners and especially customers. Without this confidence, banking institutions cannot succeed.

And if there's one common theme emerging from the inaugural State of Banking Information Security survey, it's that security leaders express this confidence in contradictions.

> View links to the Executive Overview and other survey resources

On one hand, survey respondents tell us they:

Grade their institutions' ability to counter threats as "very good" or "excellent" (64%)
Generally believe their customers share confidence that the institution's security measures are adequately protecting critical information

But then, on the other hand, these same respondents say they really have no reason to support such confidence - theirs or their customers' -- revealing:

21% have either suffered a security breach during the past two years, or don't know
35% have been a victim of a phishing attack during the past year
61% do not test their Incident Response Plan annually
Two-thirds outsource Internet banking systems to third-party service providers, yet admittedly have only moderate confidence in their vendors' security controls
Nearly three-quarters (73%) assess themselves as "average" to "failing" when it comes to security awareness efforts with customers

These are among the key findings of the State of Banking Information Security 2008 survey. Throughout the month of December 2007, Information Security Media Group (publisher of and conducted its first-ever survey of U.S. banking institutions. In all, nearly 300 banks and credit unions responded, representing institutions of all sizes and geographies.

Key Findings

Respondents' answers reveal a soft underbelly to even the most iron-clad information security strategies - that security leaders place entirely too much trust in vendors to have secured their own systems and processes. And at a time when customer confidence is already shaky, owing to the subprime mortgage crisis, banking institutions are further imperiling this trust by failing to give their customers adequate education about secure electronic banking.

Blind trust might have been enough to placate examiners in the past, but already in 2008 federal regulators have turned up the heat. Both the Federal Deposit Insurance Corporation (FDIC) and National Credit Union Administration (NCUA) have recently directed banks and credit unions to demonstrate tighter vendor management controls in their next examinations , and the inter-agency Responding Identity Theft Red Flag Rules require institutions to adopt a written Identity Theft prevention program - including beefed-up customer awareness efforts - by Nov. 1.

In addition to the top challenges facing institutions, the State of Banking Information Security 2008 survey also reveals valuable insights on a variety of topics, ranging from reporting relationships to risk management. Top headlines include:

1) Security - It's a Business Issue. There seems to be strong alignment between security and business interests in financial institutions. Business issues - regulatory compliance and customer data protection - top our respondents' list of 2008 priorities, and 40% of these security leaders report into either the CEO/President or Board of Directors/Audit Committee. Security initiatives at these institutions should have strong executive sponsorship.

But a couple of troubling signs:

Titles - A majority (56%) of respondents chose "other" from the list of titles offered to describe their information security officer's role. This response suggests that the security function may be a part-time role in many institutions - that the duties are an add-on to someone's existing fulltime job. Given regulatory pressures and existing threats, one can question whether information security now deserves an executive's fulltime attention
Budgets -- Only one-fifth of respondents have their own defined security budgets; a majority of them (54%) continue to get their funding through IT. Again, this suggests that security is a secondary consideration, and yet regulatory compliance and threat mitigation efforts are primary concerns

Follow Tom Field on Twitter: @SecurityEditor

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Anthem Breach Tally: 78.8 Million Affected

Anthem Inc. now confirms that the health insurer's recent data breach compromised a database...

Latest Tweets and Mentions

ARTICLE Anthem Breach Tally: 78.8 Million Affected

Anthem Inc. now confirms that the health insurer's recent data breach compromised a database...

The ISMG Network