BankInfoSecurity.com - Information Security News, Regulations, & Education

Just Released: Our Online Webinar Catalog

Bank Information Security Articles

The State of Banking Information Security 2008

Credit
EligibleAs a BankInfoSecurity.com annual member, this content can be used toward your membership credits and transcript tracking. Click For More Info

Exclusive Survey Uncovers Disconnect in Efforts to Manage Vendors, Educate Customers

February 4, 2008 - Tom Field, Editorial Director

This article was originally created for BankInfoSecurity.com, and contains information that should interest our GovInfoSecurity.com readers.

Save

Digg

Delicious

Please login or register to save this article.

Comment on this article

If there's one single notion common to financial institutions of all sizes, it is confidence -the need to have shared trust with employees, partners and especially customers. Without this confidence, banking institutions cannot succeed.

And if there's one common theme emerging from the inaugural State of Banking Information Security survey, it's that security leaders express this confidence in contradictions.

> View links to the Executive Overview and other survey resources

On one hand, survey respondents tell us they:

Grade their institutions' ability to counter threats as "very good" or "excellent" (64%)

Generally believe their customers share confidence that the institution's security measures are adequately protecting critical information

But then, on the other hand, these same respondents say they really have no reason to support such confidence - theirs or their customers' -- revealing:

21% have either suffered a security breach during the past two years, or don't know

35% have been a victim of a phishing attack during the past year

61% do not test their Incident Response Plan annually

Two-thirds outsource Internet banking systems to third-party service providers, yet admittedly have only moderate confidence in their vendors' security controls

Nearly three-quarters (73%) assess themselves as "average" to "failing" when it comes to security awareness efforts with customers

Click to Get Updates on the Latest Information Security News

Company*

Title*

Email*

Subscription Type:

Healthcare Enews

General Healthcare Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Government Enews

General Government Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Banking Enews

General Banking Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Credit Union Enews

General Credit Union Enews
Blogs Enews
Careers Enews
Training Enews
Webinars Enews
Podcasts Enews
White Papers Enews

Need Help?

These are among the key findings of the State of Banking Information Security 2008 survey. Throughout the month of December 2007, Information Security Media Group (publisher of BankInfoSecurity.com and CUInfoSecurity.com) conducted its first-ever survey of U.S. banking institutions. In all, nearly 300 banks and credit unions responded, representing institutions of all sizes and geographies.

Key Findings

Respondents' answers reveal a soft underbelly to even the most iron-clad information security strategies - that security leaders place entirely too much trust in vendors to have secured their own systems and processes. And at a time when customer confidence is already shaky, owing to the subprime mortgage crisis, banking institutions are further imperiling this trust by failing to give their customers adequate education about secure electronic banking.

Blind trust might have been enough to placate examiners in the past, but already in 2008 federal regulators have turned up the heat. Both the Federal Deposit Insurance Corporation (FDIC) and National Credit Union Administration (NCUA) have recently directed banks and credit unions to demonstrate tighter vendor management controls in their next examinations , and the inter-agency Responding Identity Theft Red Flag Rules require institutions to adopt a written Identity Theft prevention program - including beefed-up customer awareness efforts - by Nov. 1.

In addition to the top challenges facing institutions, the State of Banking Information Security 2008 survey also reveals valuable insights on a variety of topics, ranging from reporting relationships to risk management. Top headlines include:

1) Security - It's a Business Issue. There seems to be strong alignment between security and business interests in financial institutions. Business issues - regulatory compliance and customer data protection - top our respondents' list of 2008 priorities, and 40% of these security leaders report into either the CEO/President or Board of Directors/Audit Committee. Security initiatives at these institutions should have strong executive sponsorship.

But a couple of troubling signs:

Titles - A majority (56%) of respondents chose "other" from the list of titles offered to describe their information security officer's role. This response suggests that the security function may be a part-time role in many institutions - that the duties are an add-on to someone's existing fulltime job. Given regulatory pressures and existing threats, one can question whether information security now deserves an executive's fulltime attention

Budgets -- Only one-fifth of respondents have their own defined security budgets; a majority of them (54%) continue to get their funding through IT. Again, this suggests that security is a secondary consideration, and yet regulatory compliance and threat mitigation efforts are primary concerns

1 | 2

View On 1 Page

Next Related Article:

Mobile Banking Grows Slowly

What's your gut reaction to the State of Banking Information Security survey results? Do they resonate with your current challenges?

Here's your chance to be a part of the dialogue and engage with your peers! Just enter your comment to the right, click submit to send it to our Editor. All entries are posted anonymously.

Please login if you would like to post a comment on this question.

Vendors do a fantastic job confusing the issue! It's within their best interests to do so in many cases. Everyone has a solution Whitepaper that helps with some regulatory compliance requirement.

I have a query. Any idea of the difference in the percentage of INSIDER breaches versus EXTERNAL breaches? Did you ask that. I'd be interested to see that statistic.

Yes - no diffrent in Government

Very close to the truth.

These numbers should be way higher. The problem with all these surveys is they're self-selected and the questions are ambiguous. What exactly is a "security breach"? Different people will answer differently.

Topics of Interest

ITIL

Facing an IT Audit - How would your institution fare?

Training & Education

How to Earn a Master's in Business Continuity: John Orlando, Norwich University
Information Security Education: Expanding Career Opportunities Through Advanced Education at Regis University

Cloud Computing

Cloud Computing: The Case for Certification
Secure Image Transport: 'Buy, Don't Build'

ISO

Risk Management and ISO 27001 Certification – Mark Bernard, Credit Union Central, B.C.
Meeting the Security Standard: The Business Benefits of ISO 27001 Certification

ATM

BankInfoSecurity.com Week in Review: Aug. 6, 2010
BankInfoSecurity.com Week in Review: Aug. 20, 2010

Identity Theft

Man-in-the-Middle Attacks: Helping to Eliminate the Threat Without Impacting the Business
Pinpointing and Preventing Internal Fraud Risk: It's an Inside Job

Latest Tweets & Mentions

Recent Content
Most Popular

1Heartland, Discover Settle at $5 Million
2How to Protect Consumers from ID Theft
3The Mobile Mandate
4Church Latest Victim of ACH Fraud
5Video: Why Cyber Challenge is Needed
6FDIC: 829 Troubled Banks
7ID Theft: Courts Cracking Down
810 Tips to Thwart Skimming
9Skimming: Old Crime, New Tools
10Key Elements of Risk Management

1Failed Banks and Credit Unions, 2010
22010 Data Breach Timeline
3Pay-At-The-Pump Skimming on the Rise
4Account Takeover: The New Wrinkle
5Tapping the Power of Social Media
6ATM Skimming: How Effective is Jitter?
741 Banking Breaches So far in 2010
8New Fraud Spree Investigated
9Social Media Policy - The 6 Essentials
10FDIC: Top 5 Fraud Threats

BankInfoSecurity.com Research

Podcast:Mortgage Fraud: Compliance to be a Challenge
Webinar:Preparing for an Information Technology Regulatory Exam
Handbook:2010 Webinar Catalog
White Paper:Understanding Man-in-the-Browser Attacks and Addressing the Problem
Regulation:FHFA: Issues Subpoenas for PLS Documents

Recent Blog Entries

Be Mindful of Insider Fraud Against Seniors

California's Financial Abuse Reporting Act, SB 1018, which r…

Read The Agency Insider by Linda McGlasson

Vendor Solutions

Lumension

Solutions For:

End-Point Security, Mobile Encryption, Vulnerability Scanners
Secure Computing Corporation

Solutions For:

Content Management/ Filtering, Email Security, Web Content Management, Filtering/Behavior Blocking

Marketplace

Information Security Media Group - Family of Websites

Banking

BankInfoSecurity.com
Careers
Blogs

Credit Unions

CUInfoSecurity.com
Careers
Blogs

Government

GovInfoSecurity.com
Careers
Blogs

Healthcare

HealthcareInfoSecurity.com
Careers
Blogs

About Us
Contact Us
Site Map
Terms of Service
Advertise
RSS

BankInfoSecurity NewsGet the RSS Feed
Agency ReleasesGet the RSS Feed
Latest ArticlesGet the RSS Feed
WebinarsGet the RSS Feed
BankInfoSecurity.com BlogGet the RSS Feed

Home
Training
Resources
Content Library
- Agency Releases
- Articles
- Handbooks
- Podcasts
- Surveys
- Webinars | Calendar
- White Papers
Careers
Blog

Advanced Search

Browse Topics

Agencies

Federal Deposit Insurance Corp
Federal Reserve Board
Federal Trade Commission
FFIEC
FHFA
FinCEN
Government Accountability Office
National Credit Union Admin.
NIST
Office Comptroller of Currency
Office of Thrift Supervision

Anti-Money Laundering

Banking Today

Confidence In Banking

Business Continuity & Disaster Recovery

Pandemic Preparation

Compliance

Bank Secrecy Act
Basel II
CA Bill 1386
E-SIGN Act
FACTA
Gramm-Leach-Bliley Act
Guidance
Identity Theft Red Flags Rule
NCUA Part 748
Patriot Act
PCI DSS
Sarbanes-Oxley Act

Emerging Technology

Application Security
Authentication
Cloud Computing
Data Loss
Encryption
GRC
ID Access & Management
Messaging
Mobile Banking
Network/Perimeter
Remote Capture
SIM/SEM
Social Media
Storage
Web Security

Fraud

ACH
ATM
Check
Debit, Credit, Prepaid Cards
First Party
Insider
Mortgage
Payments
Wire

Governance & Standards

BITS
Cobit
COSO
FFIEC Handbook
ISO
ITGI
ITIL
PCAOB

Identity Theft

Pharming
Phishing
Skimming

Leadership & Management

Physical Security

Biometrics

Risk Management

HR
Incident Response
Information Security Compliance
Insider Threat
IT Audit
Privacy
Risk Assessment
Social Engineering
Vendor Management