While information security incidents continue to grab the attention of business executives, “ownership” of the underlying problems is still perceived to rest with IT, according to a new Deloitte Touche Tohmatsu (DTT) survey.
Less than two thirds (63%) of respondents to DTT’s 2007 Global Security Survey have an information security strategy. Only 10% of this year’s respondents have their information security led by business line leaders. These findings support an emerging security paradox: the gap between awareness of the problem and support for the solution.
The survey also revealed that the greatest root cause of external breaches continues to be the "human factor" – an organisation’s employees, customers, third-parties and business partners.
“The contradictory findings in this year’s survey highlight the security paradox financial institutions are facing,” says Kris Budnik, a security specialist with Enterprise Risk Services, Deloitte. “On the one hand, it is clear that respondents have identified the major security issues and the necessary actions they must take to improve security and privacy practices. On the other hand, many financial institutions are falling behind when it comes to taking action.”
One of the elements most worrisome for organisations when it comes to breaches is customers.
The DTT survey found that the top three breaches (those that were repeated the greatest number of times) were viruses and worms; E-mail attacks such as spam; and phishing/pharming. All of these breaches are perpetrated via customers who become unwitting providers of sensitive information and conduits into financial institutions.
But even though financial institutions are directly affected by these types of breaches, they are still reluctant to take responsibility for the security of their customers’ computers, most likely because of the enormity of such an undertaking. When asked whether they should be held accountable for protecting the computers of their customers who do online business with them, two thirds of respondents (66%) replied that they should not.
In addition to breaches perpetrated through the customer channel, the DTT survey reveals that a high number of repeated occurrences of breaches can be attributed to employees via both misconduct (intentional action) and errors and omissions (unintentional action). An overwhelming majority of respondents (91%) are concerned about employees and cite the human factor as the root cause for information security failures (79%).
But while errors and omissions on the part of employees are identified as a major security issue, almost a quarter (22%) of respondents provided no employee security training over the past year, and only one-third of respondents (30%) say their staff are well skilled with adequate competencies to respond to security needs.
“Despite these gaps, identifying the problem is at least half the battle and so financial institutions are definitely moving in the right direction to close these gaps,” says Budnik. “Security training and awareness, along with access and identity management of employees, clients and suppliers, and data protection are among organisations’ top initiatives this year as they fight to keep pace with the ever-changing threat landscape.
“This is definitely the case in the South African context and is echoed by our experiences at local financial institutions," says Budnik. "In particular, the attention and focus on data protection and third-party security will increase across the board as the current Privacy bill is enacted later this year.”
Additional key findings of the survey:
· E-mail attacks top the list of external security breaches financial institutions experienced over the past 12 months (57%).
· Two-thirds (66%) of respondents do not feel they should be accountable for protecting the computer of customers who bank on-line.
· Virtually all respondents (98%) indicate increased security budgets, but 35% feel that their investment in information security is lagging behind business needs.
· “Shifting priorities” and “integration problems” were identified as top reasons for information security projects failure (48% and 32%, respectively).
Europe, Middle East and Africa (EMEA): The EMEA region has the highest percentage of respondents (39%) among all regions who feel they presently have both the required skills and competencies to respond effectively and efficiently to current and foreseeable security requirements. Additionally, the majority of participants (82%) feel that security has risen to the C-suite or board level, with more than three-quarters (77%) believing they have both the commitment and funding to address regulatory compliance. With regards to security breaches, the percentage of institutions in EMEA that experienced security breaches both internally (31%) and externally (71%) is above the global averages of 30% and 65%, respectively.