“The extent and nature of these security breaches signals a new reality for the global financial services industry,” said Ted DeZabala, a principal in the security services group of Deloitte & Touche LLP. “Executing these types of attacks requires significant resources and coordination, which implies professional hackers and organized crime have entered the domain once ruled by ‘script kiddies’ and one-off hackers. This shift means organizations not only face more sophisticated and hard to track attacks, but are also challenged by increased risk and potential loss. Financial institutions should take these factors into account in their overall security strategy.”
The shift to a more sinister criminal profile of online attackers and the potential risk they represent has not gone unnoticed by the financial sector, and there is evidence that companies have started taking steps to fend off these threats. This year, identity theft and account fraud (58 percent), along with identity management (41 percent), made their way into the top five security initiatives for 2006. The industry has also responded to the recent string of natural disasters around the globe, and disaster recovery and business continuity (49 percent) also placed among the top five security initiatives. In fact, an impressive proportion of organizations (88 percent) confirmed having an enterprise-wide business continuity management program in place.
“Deloitte’s survey shows that financial institutions are attentive to the fast-paced and ever-changing security environment,” said DeZabala. “They are shifting priorities and starting to take necessary measures to mitigate emerging security risks and challenges. While it is only natural to shift focus to the most imminent threats, in order to avoid being blindsided organizations must strive to maintain a balanced, more holistic approach to their security operations and initiatives.”
Interestingly, security awareness and training is one of the initiatives that dropped off the top five list from the previous survey. While virtually all (96 percent) respondents were concerned about employee misconduct involving IT systems, only a third (34 percent) have provided their staff with some form of information security and privacy training over the past year. The most common medium financial institutions use for security training and awareness are web page alerts and emails (63 percent). Other, perhaps more effective methods, such as orientation training (35 percent) and recognition of exemplary behavior (9 percent), ranked lower in utilization.
Additional key findings of the survey:
· Ninety-five percent of participants indicated their information security budget grew over the past year. Logical access control products topped the list of security budget spending (76 percent of respondents).
· Almost three-quarters (72 percent) of financial institutions who experienced a security breach indicated the estimated amount of damage for the organization, including direct and indirect costs, was in the range of US $1 million.
· While the number of respondents with a Chief Information Security Officer (CISO), dropped by 6 percent compared to last year (75 percent vs. 81 percent), the life span of the position continues to grow, with 22 percent having been in the position from six to 10 years, up from 13 percent in 2005.
· Two-thirds (65 percent) of respondents confirmed having a program to manage privacy, down by 3 percent from last year.
http://www.bankinfosecurity.com/articles.php?art_id=154