Printer Friendly

Top Global Financial Institutions Sustain More External Than Internal IT Security Attacks: Deloitte & Touche Survey.

Business Editors


Deloitte & Touche survey shows regional differences

in IT security and privacy attitudes, policies and

technologies at leading global financial services firms

In a comprehensive look at the state of IT security among the top 500 global financial institutions, chief security officers (CSO) and chief information security officers (CISO) said more attacks are committed by external sources and not company insiders, according to a new study released today by Deloitte & Touche LLP, one of the nation's leading professional services firms. Additionally, financial organizations made significant investments toward improving their IT security, despite current economic and budget constraints.

Thirty-nine percent of respondents that experienced a security breach within the past year stated that only 10 percent of the attacks originated internally - contradicting common belief that the vast majority of cyber crime originates from within the organization rather than an external attack.

Overall, global financial institutions have implemented a variety of information security practices and technologies, maintained or increased security budgets and boosted IT security staffing levels despite the worldwide economic downturn, according to the study. For example, 80% of respondents have a formal information security strategy in place. Moreover, 61% of organizations either have a Chief Security Officer (CSO) or Chief Information Security Officer (CISO). Chief security officers, however, still see room for improvement in establishing privacy standards and shoring up defenses against all external threats.

"We are faced with some significant trends. The combination of increasingly complex technology and more sophisticated attacks makes it more difficult to secure systems. The pressure to implement new systems quickly and yet reduce costs leads to the potential that corners may be cut and security weaknesses are not always immediately evident. Additionally, many financial services companies are establishing a substantial number of partnerships with other organizations to offer services to their customers - changing the nature of the security problem itself." said John Clark, Partner, Security Services, Deloitte & Touche. "Financial institutions generally have higher standards of security to uphold. The fact that 39% of survey respondents have experienced a breach over the last twelve months should give reason for pause amongst the organizational leadership. Considering the large presence of financial institutions based here in Chicago, these findings implicate that local companies may need to step up and make even greater improvements than they have thus far in order to keep their systems secure."

Regional Differences

Strong regional differences in attitudes toward security also surfaced in the results.

-- U.S. respondents reported the highest implementation levels of

all regions of every security measure except for the adoption

of security and privacy standards, and the use of biometrics

and public key infrastructure (PKI). Also, CISOs and CSOs in

the U.S. have the broadest scope of security coverage, with

the exception of the compliance function, with Europe, the

Middle East and Africa (EMEA) region reporting the highest

coverage. U.S. respondents were early technology adopters and

characterize the level of risk their organizations strive to

achieve as "effective and efficient." Finally, respondents

from the U.S. showed the highest levels of business

continuity/disaster response development, maintenance and

testing - not surprising considering the events of September


-- Canadian respondents were driven by activities of their

competitors. While rating themselves as highly as U.S.

respondents on use of security tools, adoption of new

technologies, performance of ethical hacking and penetration

testing, Canadians had the least deployment of biometrics and

the lowest rate of security standards adoption among other

regions. Canadians were relatively less concerned over

availability of qualified security resources, budgets and the

increased sophistication of threats.

-- Respondents from organizations in Europe, the Middle East and

Africa (EMEA) were motivated by fear of exposure and the

demand for compliance to differing laws and regulations, but

employed the least use of ethical hacking and network

penetration testing. They classify themselves as "effective

users of demonstrated technologies" and are ahead of the pack

when it comes to policy setting, security standards, privacy,

use of PKI, biometrics and security expenditure. Compared to

the U.S., EMEA respondents had the lowest levels of business

continuity/disaster response planning and testing.

-- Respondents from Asia Pacific were not risk-takers and were

relatively late adopters of security technologies, except for

directory services, wireless security and smart cards. They

had the highest levels of concern regarding increasingly

sophisticated threats, but also reported the least amount of

concern about the interoperability of different products.

-- Latin America respondents, who characterized themselves as

"fast followers," reported the least deployment of incident

response systems, the least deployment of ethical hacking and

testing techniques and the lowest level of security for

third-party access technologies. However, Latin American

organizations had the highest adoption rate for biometrics of

all the regions.

"We set out to measure whether financial services institutions around the globe are ready now to meet the challenges of new security threats. Overall, there are encouraging signs of progress in the financial services industry worldwide, especially the increase of information security officers and their relative position within organizations, as well as plans by a vast majority of these companies to incorporate new measures such as PKI, smart cards and wireless security," noted Ted DeZabala, Principal and Deloitte & Touche Global Information Security & Privacy Services - Enterprise Risk Services Practice U.S. Regional Leader, Global Financial Services Industry. "At the same time, there still seems to be a lack of clarity on the impact of multiple governance initiatives on information security and the role it will play in compliance. Obviously, many still feel vulnerable to external and internal threats."

Other key findings from the survey include:

-- 5% of respondents are "extremely confident" about how well

their organization's systems are protected from internal


-- 40% of respondents have a Chief Privacy Officer on board, and

only 6% intend to appoint one in the next two years.

-- 43% of respondents reported feeling "very confident" that

their organization's back-ups would work or are being stored

off-site safely.

-- Security typically accounts for between 6- to -8% of an

organization's overall IT budget.

-- More than two-thirds of all respondents reported that general

management perceives IT security as a "necessary cost of doing

business" rather than a discretionary expense.

"This research underscores the challenging nature of the current situation - financial institutions are feeling the pull of market forces that inhibit the growth of IT security and the push to take action in the face of imminent danger from threats more diverse than they have ever faced in the past," said DeZabala. "The next few years will be challenging."


In-person interviews were conducted by members of Deloitte Touche Tohmatsu's Global Financial Services Industry and Enterprise Risk Services practices with senior information technology executives (Chief Security Officer, Chief Information Officer, IT Directors, etc.) at 78 of the top 500 global financial services organizations. Regional breakouts include: 36% U.S.; 22% Europe/Middle East/Africa; 16% Canada; 14% Asia/Pacific; and 12% Latin America. Public companies comprised 60% of respondents, versus 27% private companies and 13% not-for-profit, public sector or private subsidiaries of publicly held organizations. Respondents were interviewed across eight main areas related to information security: governance, investment, value, risk, responsiveness, use of security technologies, quality of operations, and privacy.

About Deloitte & Touche

Deloitte & Touche LLP, one of the nation's leading professional services firms, provides assurance and advisory, tax, and management consulting services through nearly 30,000 people in more than 80 U.S. cities. The firm is dedicated to helping our clients and our people excel. Known as an employer of choice for innovative human resources programs, Deloitte & Touche has been recognized as one of the "100 Best Companies to Work For in America" by Fortune magazine for six consecutive years. Deloitte & Touche is the U.S. national practice of Deloitte Touche Tohmatsu. Deloitte Touche Tohmatsu is a Swiss Verein, and each of its national practices is a separate and independent legal entity. For more information on security services, go to To learn about the firm, visit

About the Global Financial Services Industry Practice

Deloitte & Touche serves financial services firms globally through our Global Financial Services Industry practice. GFSI's industry specialists represent every major financial center in the world and bring decades of experience and leadership in banking, securities, insurances and investment management to each client assignment. For more information on our practice, visit our web site at

About Enterprise Risk Services -Global Security Services Group

Deloitte & Touche's Enterprise Risk Services (ERS) practice is a global leader in helping clients manage risk and uncertainty. ERS provides a broad array of services that allow clients around the world to better measure and manage risk and control, and to enhance the reliability of systems and processes throughout the enterprise. As one of the largest independent groups providing security services, ERS' Security Services group is able to leverage the business, industry, and geographic experience of over 1,000 professionals located in more than 100 countries worldwide. Drawing on its strong knowledge management, global network of security technology labs, and deep industry and business experience, the Security Services Group delivers enterprise-wide security solutions in the areas of Identity Management, Application Integrity, and Infrastructure Security. For more information on our security services, go to or
COPYRIGHT 2003 Business Wire
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2003, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

Article Details
Printer friendly Cite/link Email Feedback
Publication:Business Wire
Geographic Code:1USA
Date:May 27, 2003
Previous Article:American Science and Engineering, Inc. Announces Notice of Upcoming Earnings Conference Call Q4 and Fiscal Year 2003 Results.
Next Article:Intransa's IP5000 IP-SAN Storage System Achieves Interoperability Certification With BakBone's Backup and Recovery Software.

Related Articles
Lawson and Deloitte & Touche Announce Business Intelligence Program for Retailers.
Deloitte Touche Tohmatsu's Tax Practice Takes Top Honors in Global Survey.
Deloitte & Touche's Chicago Office Garners Top Honors in North American Survey of Leading Tax Advisers.
Many Corporations Remain Unprepared to Meet Sarbanes-Oxley's Internal Control Requirements, According to Deloitte & Touche Survey.
Deloitte & Touche Survey: New Anti-Money Laundering Compliance Regulations May Create Significant Operational Challenges for Financial Services...
85 Percent of CEOs Are Hiring at North America's Fastest Growing Technology Companies: Deloitte & Touche Survey; CEOs Favor Tax Cuts to Jump-Start...
Trend turns, more purchase coverage for cyber crime.
European Chapter meets in Madrid; Winter Conference focuses on benchmarking, Tony Maggiore receives chapter award.
Medianet Continues Deloitte Certification for Enhanced Security Standards.

Terms of use | Privacy policy | Copyright © 2019 Farlex, Inc. | Feedback | For webmasters