Top Global Financial Institutions Sustain More External Than Internal IT Security Attacks: Deloitte & Touche Survey.
CHICAGO--(BUSINESS WIRE)--May 27, 2003
Deloitte & Touche survey shows regional differences
in IT security and privacy attitudes, policies and
technologies at leading global financial services firms
In a comprehensive look at the state of IT security among the top 500 global financial institutions, chief security officers (CSO) and chief information security officers (CISO) said more attacks are committed by external sources and not company insiders, according to a new study released today by Deloitte & Touche LLP, one of the nation's leading professional services firms. Additionally, financial organizations made significant investments toward improving their IT security, despite current economic and budget constraints.
Thirty-nine percent of respondents that experienced a security breach within the past year stated that only 10 percent of the attacks originated internally - contradicting common belief that the vast majority of cyber crime originates from within the organization rather than an external attack.
Overall, global financial institutions have implemented a variety of information security practices and technologies, maintained or increased security budgets and boosted IT security staffing levels despite the worldwide economic downturn, according to the study. For example, 80% of respondents have a formal information security strategy in place. Moreover, 61% of organizations either have a Chief Security Officer (CSO) or Chief Information Security Officer (CISO). Chief security officers, however, still see room for improvement in establishing privacy standards and shoring up defenses against all external threats.
"We are faced with some significant trends. The combination of increasingly complex technology and more sophisticated attacks makes it more difficult to secure systems. The pressure to implement new systems quickly and yet reduce costs leads to the potential that corners may be cut and security weaknesses are not always immediately evident. Additionally, many financial services companies are establishing a substantial number of partnerships with other organizations to offer services to their customers - changing the nature of the security problem itself." said John Clark, Partner, Security Services, Deloitte & Touche. "Financial institutions generally have higher standards of security to uphold. The fact that 39% of survey respondents have experienced a breach over the last twelve months should give reason for pause amongst the organizational leadership. Considering the large presence of financial institutions based here in Chicago, these findings implicate that local companies may need to step up and make even greater improvements than they have thus far in order to keep their systems secure."
Strong regional differences in attitudes toward security also surfaced in the results.
-- U.S. respondents reported the highest implementation levels of
all regions of every security measure except for the adoption
of security and privacy standards, and the use of biometrics
and public key infrastructure (PKI). Also, CISOs and CSOs in
the U.S. have the broadest scope of security coverage, with
the exception of the compliance function, with Europe, the
Middle East and Africa (EMEA) region reporting the highest
coverage. U.S. respondents were early technology adopters and
characterize the level of risk their organizations strive to
achieve as "effective and efficient." Finally, respondents
from the U.S. showed the highest levels of business
continuity/disaster response development, maintenance and
testing - not surprising considering the events of September
-- Canadian respondents were driven by activities of their
competitors. While rating themselves as highly as U.S.
respondents on use of security tools, adoption of new
technologies, performance of ethical hacking and penetration
testing, Canadians had the least deployment of biometrics and
the lowest rate of security standards adoption among other
regions. Canadians were relatively less concerned over
availability of qualified security resources, budgets and the
increased sophistication of threats.
-- Respondents from organizations in Europe, the Middle East and
Africa (EMEA) were motivated by fear of exposure and the
demand for compliance to differing laws and regulations, but
employed the least use of ethical hacking and network
penetration testing. They classify themselves as "effective
users of demonstrated technologies" and are ahead of the pack
when it comes to policy setting, security standards, privacy,
use of PKI, biometrics and security expenditure. Compared to
the U.S., EMEA respondents had the lowest levels of business
continuity/disaster response planning and testing.
-- Respondents from Asia Pacific were not risk-takers and were
relatively late adopters of security technologies, except for
directory services, wireless security and smart cards. They
had the highest levels of concern regarding increasingly
sophisticated threats, but also reported the least amount of
concern about the interoperability of different products.
-- Latin America respondents, who characterized themselves as
"fast followers," reported the least deployment of incident
response systems, the least deployment of ethical hacking and
testing techniques and the lowest level of security for
third-party access technologies. However, Latin American
organizations had the highest adoption rate for biometrics of
all the regions.
"We set out to measure whether financial services institutions around the globe are ready now to meet the challenges of new security threats. Overall, there are encouraging signs of progress in the financial services industry worldwide, especially the increase of information security officers and their relative position within organizations, as well as plans by a vast majority of these companies to incorporate new measures such as PKI, smart cards and wireless security," noted Ted DeZabala, Principal and Deloitte & Touche Global Information Security & Privacy Services - Enterprise Risk Services Practice U.S. Regional Leader, Global Financial Services Industry. "At the same time, there still seems to be a lack of clarity on the impact of multiple governance initiatives on information security and the role it will play in compliance. Obviously, many still feel vulnerable to external and internal threats."
Other key findings from the survey include:
-- 5% of respondents are "extremely confident" about how well
their organization's systems are protected from internal
-- 40% of respondents have a Chief Privacy Officer on board, and
only 6% intend to appoint one in the next two years.
-- 43% of respondents reported feeling "very confident" that
their organization's back-ups would work or are being stored
-- Security typically accounts for between 6- to -8% of an
organization's overall IT budget.
-- More than two-thirds of all respondents reported that general
management perceives IT security as a "necessary cost of doing
business" rather than a discretionary expense.
"This research underscores the challenging nature of the current situation - financial institutions are feeling the pull of market forces that inhibit the growth of IT security and the push to take action in the face of imminent danger from threats more diverse than they have ever faced in the past," said DeZabala. "The next few years will be challenging."
In-person interviews were conducted by members of Deloitte Touche Tohmatsu's Global Financial Services Industry and Enterprise Risk Services practices with senior information technology executives (Chief Security Officer, Chief Information Officer, IT Directors, etc.) at 78 of the top 500 global financial services organizations. Regional breakouts include: 36% U.S.; 22% Europe/Middle East/Africa; 16% Canada; 14% Asia/Pacific; and 12% Latin America. Public companies comprised 60% of respondents, versus 27% private companies and 13% not-for-profit, public sector or private subsidiaries of publicly held organizations. Respondents were interviewed across eight main areas related to information security: governance, investment, value, risk, responsiveness, use of security technologies, quality of operations, and privacy.
About Deloitte & Touche
Deloitte & Touche LLP, one of the nation's leading professional services firms, provides assurance and advisory, tax, and management consulting services through nearly 30,000 people in more than 80 U.S. cities. The firm is dedicated to helping our clients and our people excel. Known as an employer of choice for innovative human resources programs, Deloitte & Touche has been recognized as one of the "100 Best Companies to Work For in America" by Fortune magazine for six consecutive years. Deloitte & Touche is the U.S. national practice of Deloitte Touche Tohmatsu. Deloitte Touche Tohmatsu is a Swiss Verein, and each of its national practices is a separate and independent legal entity. For more information on security services, go to www.deloitte.com/us/security. To learn about the firm, visit www.deloitte.com/us.
About the Global Financial Services Industry Practice
Deloitte & Touche serves financial services firms globally through our Global Financial Services Industry practice. GFSI's industry specialists represent every major financial center in the world and bring decades of experience and leadership in banking, securities, insurances and investment management to each client assignment. For more information on our practice, visit our web site at www.deloitte.com/gfsi.
About Enterprise Risk Services -Global Security Services Group
Deloitte & Touche's Enterprise Risk Services (ERS) practice is a global leader in helping clients manage risk and uncertainty. ERS provides a broad array of services that allow clients around the world to better measure and manage risk and control, and to enhance the reliability of systems and processes throughout the enterprise. As one of the largest independent groups providing security services, ERS' Security Services group is able to leverage the business, industry, and geographic experience of over 1,000 professionals located in more than 100 countries worldwide. Drawing on its strong knowledge management, global network of security technology labs, and deep industry and business experience, the Security Services Group delivers enterprise-wide security solutions in the areas of Identity Management, Application Integrity, and Infrastructure Security. For more information on our security services, go to www.deloitte.com/us/security or www.deloitte.com/us/risk.
|Printer friendly Cite/link Email Feedback|
|Date:||May 27, 2003|
|Previous Article:||American Science and Engineering, Inc. Announces Notice of Upcoming Earnings Conference Call Q4 and Fiscal Year 2003 Results.|
|Next Article:||Intransa's IP5000 IP-SAN Storage System Achieves Interoperability Certification With BakBone's Backup and Recovery Software.|