printer friendly version

The security paradox

The world’s largest financial institutions are challenged by the ‘security paradox’. A Deloitte Touche Tohmatsu survey finds that awareness of the problem and support for the solution are still a challenge.

While information security incidents continue to grab the attention of business executives, 'ownership' of the underlying problems is still perceived to rest with IT, according to a new Deloitte Touche Tohmatsu (DTT) survey.

Less than two thirds (63%) of respondents to DTT's 2007 Global Security Survey have an information security strategy. Only 10% of this year's respondents have their information security led by business line leaders. These findings support an emerging security paradox: the gap between awareness of the problem and support for the solution.

The survey also revealed that the greatest root cause of external breaches continues to be the 'human factor': an organisation's employees, customers, third parties and business partners.

"The contradictory findings in this year's survey highlight the security paradox financial institutions are facing," says Kris Budnik, a security specialist with Enterprise Risk Services, Deloitte. "On the one hand, it is clear that respondents have identified the major security issues and the necessary actions they must take to improve security and privacy practices. On the other hand, many financial institutions are falling behind when it comes to taking action."

One of the elements most worrisome for organisations when it comes to breaches is customers. The DTT survey found that the top three breaches (those that were repeated the greatest number of times) were viruses and worms; e-mail attacks, eg, spam; and phishing/pharming. All of these breaches are perpetrated via the customer, eg, customers as unwitting providers of sensitive information and conduits into financial institutions. But even though financial institutions are directly affected by these types of breaches, they are still reluctant to take responsibility for the security of their customers' computers, most likely because of the enormity of such an undertaking. When asked whether they should be held accountable for protecting the computers of their customers who do online business with them, two thirds of respondents (66%) replied that they should not.

In addition to breaches perpetrated through the customer channel, the DTT survey reveals that a high number of repeated occurrences of breaches can be attributed to employees: both misconduct (intentional action) and errors and omissions (unintentional action). An overwhelming majority of respondents (91%) are concerned about employees and cite the human factor as the root cause for information security failures (79%).

But while errors and omissions on the part of employees are identified as a major security issue, almost a quarter (22%) of respondents provided no employee security training over the past year and only one-third of respondents (30%) say their staff is well skilled with adequate competencies to respond to security needs.

"Despite these gaps, identifying the problem is at least half the battle and so financial institutions are definitely moving in the right direction to close these gaps," adds Budnik. "Security training and awareness, along with access and identity management of employees, clients and suppliers, and data protection are among organisations' top initiatives this year, as they fight to keep pace with the ever-changing threat landscape.

"This is definitely the case in the South African context and is echoed by our experiences at local financial institutions. In particular, the attention and focus on data protection and third party security will increase across the board as the current Privacy bill is enacted later this year," says Budnik.

Additional key findings of the survey:

E-mail attacks top the list of external security breaches financial institutions experienced over the past 12 months (57%).

* Two-thirds (66%) of respondents do not feel they should be accountable for protecting the computer of customers who bank on-line.

* Virtually all respondents (98%) indicate increased security budgets, but 35% feel that their investment in information security is lagging behind business needs.

* 'Shifting priorities' and 'integration problems' were identified as top reasons for information security projects failure (48% and 32%, respectively).

Regional highlights

The Europe, Middle East and Africa (EMEA) region had the highest percentage of respondents (39%) among all regions who feel they presently have both the required skills and competencies to respond effectively and efficiently to current and foreseeable security requirements. Additionally, the majority of participants (82%) feel that security has risen to the C-suite or board level, with more than three-quarters (77%) believing they have both the commitment and funding to address regulatory compliance. With regards to security breaches, the percentage of institutions in EMEA that experienced security breaches both internally (31%) and externally (71%) is above the global averages of 30% and 65%, respectively.

Methodology

The survey, conducted via face-to-face interviews and on-line questionnaires by DTT's Global Financial Services Industry (GFSI) group, focused on senior information technology executives (chief security officer, chief information officer, security management team, etc,) at many of the top 100 global financial services organisations. Questions related to governance, investment in security, risk, use of security technologies, quality of operations and privacy. The respondents represented public and private organisations from all continents, divided into five regions including: Europe, the Middle East and Africa (EMEA), Commonwealth of Independent States (CIS), Asia Pacific (APAC), North America (NA), Latin America and the Caribbean (LACRO). Due to the diverse focus of institutions surveyed and the qualitative format of the research, some results may not be representative of each identified region.

Share this article:

Further reading: