The security paradox

December 2007 Information Security

The world’s largest financial institutions are challenged by the ‘security paradox’. A Deloitte Touche Tohmatsu survey finds that awareness of the problem and support for the solution are still a challenge.

While information security incidents continue to grab the attention of business executives, 'ownership' of the underlying problems is still perceived to rest with IT, according to a new Deloitte Touche Tohmatsu (DTT) survey.

Less than two thirds (63%) of respondents to DTT's 2007 Global Security Survey have an information security strategy. Only 10% of this year's respondents have their information security led by business line leaders. These findings support an emerging security paradox: the gap between awareness of the problem and support for the solution.

The survey also revealed that the greatest root cause of external breaches continues to be the 'human factor': an organisation's employees, customers, third parties and business partners.

"The contradictory findings in this year's survey highlight the security paradox financial institutions are facing," says Kris Budnik, a security specialist with Enterprise Risk Services, Deloitte. "On the one hand, it is clear that respondents have identified the major security issues and the necessary actions they must take to improve security and privacy practices. On the other hand, many financial institutions are falling behind when it comes to taking action."

One of the elements most worrisome for organisations when it comes to breaches is customers. The DTT survey found that the top three breaches (those that were repeated the greatest number of times) were viruses and worms; e-mail attacks, eg, spam; and phishing/pharming. All of these breaches are perpetrated via the customer, eg, customers as unwitting providers of sensitive information and conduits into financial institutions. But even though financial institutions are directly affected by these types of breaches, they are still reluctant to take responsibility for the security of their customers' computers, most likely because of the enormity of such an undertaking. When asked whether they should be held accountable for protecting the computers of their customers who do online business with them, two thirds of respondents (66%) replied that they should not.

In addition to breaches perpetrated through the customer channel, the DTT survey reveals that a high number of repeated occurrences of breaches can be attributed to employees: both misconduct (intentional action) and errors and omissions (unintentional action). An overwhelming majority of respondents (91%) are concerned about employees and cite the human factor as the root cause for information security failures (79%).

But while errors and omissions on the part of employees are identified as a major security issue, almost a quarter (22%) of respondents provided no employee security training over the past year and only one-third of respondents (30%) say their staff is well skilled with adequate competencies to respond to security needs.

"Despite these gaps, identifying the problem is at least half the battle and so financial institutions are definitely moving in the right direction to close these gaps," adds Budnik. "Security training and awareness, along with access and identity management of employees, clients and suppliers, and data protection are among organisations' top initiatives this year, as they fight to keep pace with the ever-changing threat landscape.

"This is definitely the case in the South African context and is echoed by our experiences at local financial institutions. In particular, the attention and focus on data protection and third party security will increase across the board as the current Privacy bill is enacted later this year," says Budnik.

Additional key findings of the survey:

E-mail attacks top the list of external security breaches financial institutions experienced over the past 12 months (57%).

* Two-thirds (66%) of respondents do not feel they should be accountable for protecting the computer of customers who bank on-line.

* Virtually all respondents (98%) indicate increased security budgets, but 35% feel that their investment in information security is lagging behind business needs.

* 'Shifting priorities' and 'integration problems' were identified as top reasons for information security projects failure (48% and 32%, respectively).

Regional highlights

The Europe, Middle East and Africa (EMEA) region had the highest percentage of respondents (39%) among all regions who feel they presently have both the required skills and competencies to respond effectively and efficiently to current and foreseeable security requirements. Additionally, the majority of participants (82%) feel that security has risen to the C-suite or board level, with more than three-quarters (77%) believing they have both the commitment and funding to address regulatory compliance. With regards to security breaches, the percentage of institutions in EMEA that experienced security breaches both internally (31%) and externally (71%) is above the global averages of 30% and 65%, respectively.

Methodology

The survey, conducted via face-to-face interviews and on-line questionnaires by DTT's Global Financial Services Industry (GFSI) group, focused on senior information technology executives (chief security officer, chief information officer, security management team, etc,) at many of the top 100 global financial services organisations. Questions related to governance, investment in security, risk, use of security technologies, quality of operations and privacy. The respondents represented public and private organisations from all continents, divided into five regions including: Europe, the Middle East and Africa (EMEA), Commonwealth of Independent States (CIS), Asia Pacific (APAC), North America (NA), Latin America and the Caribbean (LACRO). Due to the diverse focus of institutions surveyed and the qualitative format of the research, some results may not be representative of each identified region.

For more information contact Deloitte Enterprise Risk Services, +27 (0)11 806 5000, [email protected], www.deloitte.com





Share this article:
Share via emailShare via LinkedInPrint this page



Further reading:

Highest increase in global cyberattacks in two years
Information Security News & Events
Check Point Global Research released new data on Q2 2024 cyber-attack trends, noting a 30% global increase in Q2 2024, with Africa experiencing the highest average weekly per organisation.

Read more...
Open source code can also be open risk
Information Security Infrastructure
Software development has changed significantly over the years, and today, open-source code increasingly forms the foundation of modern applications, with surveys indicating that 60 – 90% of the average application's code base consists of open-source components.

Read more...
DeepSneak deception
Information Security News & Events
Kaspersky Global Research & Analysis researchers have discovered a new malicious campaign which is distributing a Trojan through a fake DeepSeek-R1 Large Language Model (LLM) app for PCs.

Read more...
SA’s strained, loadshedding-prone grid faces cyberthreats
Power Management Information Security
South Africa’s energy sector, already battered by decades of underinvestment and loadshedding, faces another escalating crisis; a wave of cyberthreats that could turn disruptions into catastrophic failures. Attacks are already happening internationally.

Read more...
Almost 50% of companies choose to pay the ransom
News & Events Information Security
This year’s Sophos State of Ransomware 2025 report found that nearly 50% of companies paid the ransom to get their data back, the second-highest rate of ransom payment for ransom demands in six years.

Read more...
Survey highlights cost of cyberdamage to industrial companies
Kaspersky Information Security News & Events
The majority of industrial organisations estimate their financial losses caused by cyberattacks to be over $1 million, while almost one in four report losses exceeding $5 million, and for some, it surpasses $10 million.

Read more...
Digital economy needs an agile approach to cybersecurity
Information Security News & Events
South Africa is the most targeted country in Africa when it comes to infostealer and ransomware attacks. Being at the forefront of the continent’s digital transformation puts South Africa in the crosshairs for sophisticated cyberattacks

Read more...
SIEM rule threat coverage validation
Information Security News & Events
New AI-detection engineering assistant from Cymulate automates SIEM rule validation for SecOps and blue teams by streamlining threat detection engineering with automated testing, control integrations and enhanced detections.

Read more...
Cybersecurity a challenge in digitalising OT
Kaspersky Information Security Industrial (Industry)
According to a study by Kaspersky and VDC Research on securing operational technology environments, the primary risks are inadequate security measures, insufficient resources allocated to OT cybersecurity, challenges surrounding regulatory compliance, and the complexities of IT/OT integration.

Read more...
Are AI agents a game-changer?
Information Security
While AI-powered chatbots have been around for a while, AI agents go beyond simple assistants, functioning as self-learning digital operatives that plan, execute, and adapt in real time. These advancements do not just enhance cybercriminal tactics, they may fundamentally change the battlefield.

Read more...










While every effort has been made to ensure the accuracy of the information contained herein, the publisher and its agents cannot be held responsible for any errors contained, or any loss incurred as a result. Articles published do not necessarily reflect the views of the publishers. The editor reserves the right to alter or cut copy. Articles submitted are deemed to have been cleared for publication. Advertisements and company contact details are published as provided by the advertiser. Technews Publishing (Pty) Ltd cannot be held responsible for the accuracy or veracity of supplied material.




© Technews Publishing (Pty) Ltd. | All Rights Reserved.