Financial Institutions Face Surge in External Security Attacks
The world's largest financial institutions have faced a surge in the number of security attacks over the past year, particularly from external sources, according to the 2006 Global Security Survey released by the Financial Services Industry practices of the member firms of Deloitte Touche Tohmatsu (DTT).
More than three-quarters (78 percent, up from 26 percent in 2005) of respondents confirmed a security breach from outside the organization and almost half (49 percent, up from 35 percent in 2005) experienced at least one internal breach.
The fourth annual survey consisted of interviews with senior security officers from the world's top 100 global financial institutions and acts as a global benchmark for the state of IT security in the financial sector.
The top three most common attacks over the past 12 months included ones intended to extort some form of monetary gain. Phishing and pharming were employed for more than half (51 percent) of external attacks, followed by spyware/malware (48 percent). Insider fraud (28 percent) and customer data leaks (18 percent) were cited by respondents among the top three most common internal breaches.
"The extent and nature of these security breaches signals a new reality for the global financial services industry," said Ted DeZabala, a principal in the security services group of Deloitte & Touche LLP. "Executing these types of attacks requires significant resources and coordination, which implies professional hackers and organized crime have entered the domain once ruled by 'script kiddies' and one-off hackers. This shift means organizations not only face more sophisticated and hard to track attacks, but are also challenged by increased risk and potential loss. Financial institutions should take these factors into account in their overall security strategy."
The shift to a more sinister criminal profile of online attackers and the potential risk they represent has not gone unnoticed by the financial sector, and there is evidence that companies have started taking steps to fend off these threats. This year, identity theft and account fraud (58 percent), along with identity management (41 percent), made their way into the top five security initiatives for 2006.
The industry has also responded to the recent string of natural disasters around the globe, and disaster recovery and business continuity (49 percent) also placed among the top five security initiatives. In fact, an impressive proportion of organizations (88 percent) confirmed having an enterprise-wide business continuity management program in place.
"Deloitte's survey shows that financial institutions are attentive to the fast-paced and ever-changing security environment," said DeZabala. "They are shifting priorities and starting to take necessary measures to mitigate emerging security risks and challenges. While it is only natural to shift focus to the most imminent threats, in order to avoid being blindsided organizations must strive to maintain a balanced, more holistic approach to their security operations and initiatives."
Interestingly, security awareness and training is one of the initiatives that dropped off the top five list from the previous survey. While virtually all (96 percent) respondents were concerned about employee misconduct involving IT systems, only a third (34 percent) have provided their staff with some form of information security and privacy training over the past year. The most common medium financial institutions use for security training and awareness are web page alerts and emails (63 percent). Other, perhaps more effective methods, such as orientation training (35 percent) and recognition of exemplary behavior (9 percent), ranked lower in utilization.
Additional key findings of the survey:
Â· Ninety-five percent of participants indicated their information security budget grew over the past year. Logical access control products topped the list of security budget spending (76 percent of respondents).
Â· Almost three-quarters (72 percent) of financial institutions who experienced a security breach indicated the estimated amount of damage for the organization, including direct and indirect costs, was in the range of US $1 million.
Â· While the number of respondents with a Chief Information Security Officer (CISO), dropped by 6 percent compared to last year (75 percent vs. 81 percent), the life span of the position continues to grow, with 22 percent having been in the position from six to 10 years, up from 13 percent in 2005.
Â· Two-thirds (65 percent) of respondents confirmed having a program to manage privacy, down by 3 percent from last year.
The survey, conducted via face-to-face interviews and on-line questionnaires by Deloitte's Global Financial Services Industry practice, focused on senior information technology executives (Chief Security Officer, Chief Information Officer, security management team, etc.) of the top 100 global financial services organizations. Questions were related to governance, investment in security, risk, use of security technologies, quality of operations and privacy. The respondents represented public and private organizations from all continents, divided into five regions including: Europe, the Middle East and Africa, Asia Pacific, Japan, USA, Canada, Latin America and the Caribbean. Due to the diverse focus of institutions surveyed and the qualitative format of the research, some results may not be representative of each identified region.
Deloitte refers to one or more of Deloitte Touche Tohmatsu, a Swiss Verein, its member firms and their respective subsidiaries and affiliates. As a Swiss Verein (association), neither Deloitte Touche Tohmatsu nor any of its member firms has any liability for each other's acts or omissions. Each of the member firms is a separate and independent legal entity operating under the names "Deloitte", "Deloitte & Touche", "Deloitte Touche Tohmatsu" or other related names. Services are provided by the member firms or their subsidiaries or affiliates and not by the Deloitte Touche Tohmatsu Verein.