Internal attacks on information technology systems are surpassing external attacks at the world's largest financial institutions, according to the 2005 Global Security Survey released today by the Financial Services Industry practices of the member firms of Deloitte Touche Tohmatsu (DTT). Thirty-five (35) percent of respondents confirmed encountering attacks from inside their organization within the last 12 months (up from 14 percent in 2004) compared to 26 percent from external sources (up from 23 percent in 2004).
The third annual Global Security Survey acts as global benchmark for DTT and its member firms for the state of IT security in the financial sector and consisted of interviews with senior security officers from the world's top 100 global financial institutions.
Phishing and pharming (luring people to disclose sensitive information by using bogus emails and websites) are two new additions to the top security threats financial institutions faced in the past year, underscoring the human factor as a new and growing weakness in the security chain. The trend shift from external to internal attacks and tactics that exploit human behavior vs. technological loopholes is explained by the improved utilization of IT security technologies, mainly by the increased use of anti-virus solutions (98 percent vs. 87 percent in 2004), Virtual Private Networks (79 percent vs. 75 percent) and content filtering and monitoring (76 percent vs. 60 percent in 2004).
"Financial institutions have made great progress in deploying technological solutions to protect themselves from direct external threats, however the rise and increased sophistication of attacks that target customers, and internal attacks, indicate that there are new threats that have to be addressed," says Adel Melek, a partner in the Canadian member firm of Deloitte Touche Tohmatsu and Global Leader of IT Risk Management & Security Services within Deloitte's Global Financial Services Industry practice. "Strong customer authentication, training and increased awareness can play a significant role in narrowing this gap."
However, as survey results show, security training and awareness have yet to top the agenda of Chief Information Security Officers (CISO), as less than half (46 percent) of respondents have training and awareness initiatives scheduled for the next 12 months. Training and awareness was at the bottom of the security initiatives list, far behind regulatory compliance (74 percent) and reporting and measurement (61 percent). These findings also align with financial institutions' future investment plans in security, with the most money targeted for security tools (64 percent), compared to only 15 percent for employee awareness and training. There are very few financial institutions that have any plans for customer security awareness.
"In an attempt to minimize the human risk factor, financial institutions have been focusing on enterprise-wide solutions," says Ted DeZabala, a principal in the security services group of Deloitte & Touche LLP. "With threats such as identity theft, phishing and pharming on the rise, organizations should be implementing identity management solutions, encompassing access, vulnerability, patch and security event management. These solutions should be augmented by security training and awareness if organizations are to minimize the number of human behavioural threats."