| Firms still challenged by the ‘security paradox’  While information security incidents continue to grab the attention of business executives, ‘ownership’ of the underlying problems is still perceived to rest with IT, according to a new Deloitte Touche Tohmatsu (DTT) survey. Less than two-thirds (63 percent) of respondents to DTT’s 2007 Global Security Survey have an information security strategy. Only 10 percent of this year's respondents have their information security led by business line leaders. These findings support an emerging security paradox: the gap between awareness of the problem and support for the solution.
The survey also revealed that the greatest root cause of external breaches continues to be the ‘human factor’: an organization's employees, customers, third parties and business partners. "The contradictory findings in this year's survey highlight the security paradox financial institutions are facing," says Adel Melek, DTT's Global Leader of IT Risk Management and Security Services, Global Financial Services Industry (GFSI) Group. "On the one hand, it is clear that respondents have identified the major security issues and the necessary actions they must take to improve security and privacy practices. On the other hand many financial institutions are falling behind when it comes to taking action." One of the elements most worrisome for organizations when it comes to breaches is customers. The DTT survey found that the top three breaches (those that were repeated the greatest number of times) were viruses and worms, email attacks (e.g. spam) and phishing/pharming. All of these breaches are perpetrated via the customer, e.g. customers as unwitting providers of sensitive information and conduits into financial institutions. But even though financial institutions are directly affected by these types of breaches, they are still reluctant to take responsibility for the security of their customers' computers, most likely because of the enormity of such an undertaking. When asked whether they should be held accountable for protecting the computers of their customers who do online business with them, two-thirds of respondents (66 percent) replied that they should not. In addition to breaches perpetrated through the customer channel, the DTT survey reveals that a high number of repeated occurrences of breaches can be attributed to employees through both misconduct (intentional action) and errors and omissions (unintentional action). An overwhelming majority of respondents (91 percent) are concerned about employees and cite the human factor as the root cause for information security failures (79 percent). But while employee errors and omissions are identified as a major security issue, almost a quarter (22 percent) of respondents provided no employee security training over the past year and only one-third of respondents (30 percent) say their staff is well skilled with adequate competencies to respond to security needs. "Despite these gaps, identifying the problem is at least half the battle and so financial institutions are definitely moving in the right direction to close these gaps," adds Melek. "Security training and awareness, along with access and identity management of employees, clients and suppliers and data protection are among organizations' top initiatives this year as they fight to keep pace with the ever-changing threat landscape." Additional key findings of the survey: * Email attacks top the list of external security breaches financial institutions experienced over the past 12 months (57 percent). * Two-thirds (66 percent) of respondents do not feel they should be accountable for protecting the computer of customers who bank on-line. * Virtually all respondents (98 percent) indicate increased security budgets, but 35 percent feel that their investment in information security is lagging behind business needs. * "Shifting priorities" and "integration problems" were identified as top reasons for information security projects failure (48 percent and 32 percent, respectively).
•Date: 18th Sept 2007• Region: World •Type: Article •Topic: Financial sector
|
