Financial firms see attacks soar

Three quarters of Financial Instiutions breached

The world's largest financial institutions reported an increase in the number of security attacks over the past year with more than three-quarters of respondents (78 per cent, up from 26 per cent in 2005) confirming a security breach from outside the organisation and almost half (49 per cent, up from 35 per cent in 2005) experiencing at least one internal breach.

These findings are revealed in the 2006 Global Security Survey released by business advisory firm Deloitte. The fourth annual survey consisted of interviews with senior security officers from the world's top 100 global financial institutions and acts as a global benchmark for the state of IT security in the financial sector.

Gerry Fitzpatrick, a partner in Deloitte's Enterprise Risk Services Department, commented: "The extent and nature of these security breaches are an indication of the criminal profile of online attackers. The types of attack, the execution and exploitation require significant resources and coordination, which implies professional hackers and organised crime have taken over a domain once ruled by 'script kiddies' and one-off hackers."

In terms of the nature of attacks experienced in the past 12 months, more than half (51 per cent) of external attacks were attributed to phishing and pharming, followed by spyware/malwere utilisation (48 per cent). Insider fraud accounted for (28 per cent) and leakage of customer data (18 per cent) were cited by respondents among the top three most common internal breaches. The research found evidence of the financial sector taking steps to fend-off the increasing threats.

This year, fighting identity theft and account fraud (58 per cent), along with identity management (41 per cent), made their way into the top five security initiatives for 2006. Another indication of the financial industry's fast response to current events and emerging threats is the presence of disaster recovery and business continuity (49 per cent) among the top five security initiatives. The importance of a business continuity plan, following the recent string of natural disasters around the globe, is reflected by the impressive proportion of organisations 81 per cent that confirmed having an enterprise-wide business continuity management program in place.

Colm McDonnell, a Director in Deloitte's Enterprise Risk Services Department also commented: "This report acts as an important reminder to local and international financial services companies based in Ireland. In Ireland, in particular, we are consistently seeing the increased professionalism and organisation of hackers, it is paramount that financial institutions prepare for these threats just as professionally."

Financial institutions need to be active in responding to an ever changing security environment. They are consistently shifting priorities and starting to take necessary measures to manage and mitigate these various security risks and challenges must be a priority.

However, whilst it is only natural to shift focus to the most high profile or new and emerging threats, it is apparent that organisations must continue to maintain a balanced, and strategic approach to their security operations and initiatives." Interestingly, security awareness and training dropped off the top five list of initiatives from the previous survey. While 96 per cent of respondents were concerned about employee misconduct involving IT systems, only a third (34 per cent) have provided their staff with some form of information security and privacy training over the past year.

The most common medium financial institutions use for security training and awareness are web page alerts and emails (63 per cent). Other, perhaps more effective methods, such as orientation training (35 per cent) and recognition of exemplary behaviour (9 per cent), ranked low in utilisation. There are some positives though within Europe as it seems that businesses are starting to realise that this is a serious threat.

The EMEA region was ranked as best in class when it comes to the appointment of a Chief Information Security Officer (CISO). The region has the highest percentage (91 per cent) of financial institutions with a CISO in place. Other key findings of the survey of note: Ninety-five percent of participants indicated their information security budget grew over the past year. Logical access control products topped the list of security budget spending (76 per cent of respondents).  

Almost three-quarters (72 per cent) of financial institutions who experienced a security breach indicated the estimated amount of damage for the organisation, including direct and indirect costs, was in the range of USD1 million. While the number of respondents with a Chief Information Security Officer (CISO), dropped by 6 per cent compared to last year (75 per cent vs. 81 per cent), the life span of the position continues to grow with 22 per cent having been in the position from six to 10 years, up from 13 per cent in 2005.  Two-thirds (65 per cent) of respondents confirmed having a program to manage privacy, down by 3 per cent from last year

END

If you would like to know more about how your organisation can get involved and benefit from working with the Continuity Forum, please email us HERE! or call on + 44 (0) 208 993 1599.