The State of Banking Information Security 2008 Exclusive Survey Uncovers Disconnect in Efforts to Manage Vendors, Educate Customers
If there's one single notion common to financial institutions of all sizes, it is confidence -the need to have shared trust with employees, partners and especially customers. Without this confidence, banking institutions cannot succeed.

And if there's one common theme emerging from the inaugural State of Banking Information Security survey, it's that security leaders express this confidence in contradictions.

> View links to the Executive Overview and other survey resources

On one hand, survey respondents tell us they:

Grade their institutions' ability to counter threats as "very good" or "excellent" (64%)
Generally believe their customers share confidence that the institution's security measures are adequately protecting critical information

But then, on the other hand, these same respondents say they really have no reason to support such confidence - theirs or their customers' -- revealing:

21% have either suffered a security breach during the past two years, or don't know
35% have been a victim of a phishing attack during the past year
61% do not test their Incident Response Plan annually
Two-thirds outsource Internet banking systems to third-party service providers, yet admittedly have only moderate confidence in their vendors' security controls
Nearly three-quarters (73%) assess themselves as "average" to "failing" when it comes to security awareness efforts with customers

These are among the key findings of the State of Banking Information Security 2008 survey. Throughout the month of December 2007, Information Security Media Group (publisher of BankInfoSecurity.com and CUInfoSecurity.com) conducted its first-ever survey of U.S. banking institutions. In all, nearly 300 banks and credit unions responded, representing institutions of all sizes and geographies.

Key Findings

Respondents' answers reveal a soft underbelly to even the most iron-clad information security strategies - that security leaders place entirely too much trust in vendors to have secured their own systems and processes. And at a time when customer confidence is already shaky, owing to the subprime mortgage crisis, banking institutions are further imperiling this trust by failing to give their customers adequate education about secure electronic banking.

Blind trust might have been enough to placate examiners in the past, but already in 2008 federal regulators have turned up the heat. Both the Federal Deposit Insurance Corporation (FDIC) and National Credit Union Administration (NCUA) have recently directed banks and credit unions to demonstrate tighter vendor management controls in their next examinations , and the inter-agency Responding Identity Theft Red Flag Rules require institutions to adopt a written Identity Theft prevention program - including beefed-up customer awareness efforts - by Nov. 1.

In addition to the top challenges facing institutions, the State of Banking Information Security 2008 survey also reveals valuable insights on a variety of topics, ranging from reporting relationships to risk management. Top headlines include:

1) Security - It's a Business Issue. There seems to be strong alignment between security and business interests in financial institutions. Business issues - regulatory compliance and customer data protection - top our respondents' list of 2008 priorities, and 40% of these security leaders report into either the CEO/President or Board of Directors/Audit Committee. Security initiatives at these institutions should have strong executive sponsorship.

But a couple of troubling signs:

Titles - A majority (56%) of respondents chose "other" from the list of titles offered to describe their information security officer's role. This response suggests that the security function may be a part-time role in many institutions - that the duties are an add-on to someone's existing fulltime job. Given regulatory pressures and existing threats, one can question whether information security now deserves an executive's fulltime attention
Budgets -- Only one-fifth of respondents have their own defined security budgets; a majority of them (54%) continue to get their funding through IT. Again, this suggests that security is a secondary consideration, and yet regulatory compliance and threat mitigation efforts are primary concerns

Whatever the reporting relationship, role or resource, the mission for security leaders remains the same: Keep information security atop the business agenda. And to do that, the language of security must be the language of business - speak in terms of privacy and protection, not in terms of penetration tests and denials of service. Lose the context, and you risk losing your support.

2) Vendor Management - Too Much Trust, Too Little Verification.
It's an alarming picture when more than two-thirds of respondents (67%) outsource a key system such as internet banking, and yet only 41% have moderate confidence in vendor security. Some 23% say they have no idea whether their vendors have suffered a security breach during the past two years. Another 21% don't know or don't check to see whether their vendors are in compliance with industry regulations. Clearly, institutions are placing too much trust in customer references and SAS 70 audit reports. Starting in 2008, they'll need to show better evidence of inspecting and ensuring the safety of critical processes and information when in vendors' hands.

3) Training - Employees, Customers Need More.
Awareness is the key - employees and customers must understand institutions' security measures and their own roles in supporting them. Yet, our respondents generally grade themselves low at providing effective security awareness training to these groups - 66% "average" to "poor" educating employees, 73% for customers. When resources are tight, training budgets always take a hit, but with the Identity Theft Red Flag Rules compliance date looming ... institutions can't afford to skimp on awareness efforts. There must be strategic education plans in place, and they have to go beyond merely satisfying an examiner's check box to fulfilling the need for security awareness. The risk: If institutions don't improve their awareness programs, then they won't merely fail their self-assessments - they'll imperil their own customers' confidence.

> View links to other survey resources


About the Author

Tom Field

Tom Field

Vice President - Editorial, ISMG

Field is an award-winning journalist with over 30 years experience in newspapers, magazines, books, events and electronic media. A veteran community journalist with extensive business/technology and international reporting experience, Field joined ISMG in 2007 and currently oversees the editorial operations for all of ISMG's global media properties. An accomplished public speaker, Field has developed and moderated scores of podcasts, webcasts, roundtables and conferences, and he has appeared at RSA Conference and on various C-SPAN, The History Channel and Travel Channel television programs.




Around the Network