Economy and IT Security Both Heading South
Tighter budgets, a greater concern over internal security breaches due to lower employee morale and complacency after a decrease in overall attacks over the past year may expose global financial institutions to an increased risk of data breaches, according to Deloitte Touche Tohmatsu's 6th annual survey of global financial institutions' information security efforts.
"As the current crisis continues to deepen, financial institutions may look to save money by cutting IT budgets and reducing spending on security infrastructure, said Mark Steinhoff, the leader of Deloitte's financial services security and privacy group and a contributor to the report, in a press release.
"Consumer trust is already waning. As such, it is important for financial institutions to be vigilant in protecting their data and implementing checks and balances to reduce the risk and potentially catastrophic consequences of security failures. With the many challenges confronting the industry this year, combating security breaches should not fall by the wayside."
While 60% of respondents confirm that their information security budgets increased in 2008 (mostly in the range of one to five percent), Steinhoff expects 2009 budgets to be down given cost containment efforts. More than half of respondents (56%) said that budgetary constraints and/or lack of resources are the leading barriers to ensuring information security; while lack of resources is identified by a third as the leading cause of failure of information security projects.
Security attacks that exploit human error and breaches caused by distracted or disgruntled employees may be the root cause of information security failures in coming months. The majority of respondents (86%) confirm that human error is the leading cause of information systems failure. This finding recognizes that, while people are an organization's greatest asset, they are also its weakest linkparticularly in hard economic times when job insecurity and increased stress levels may lead employees to behave in atypical ways.
While both internal and external security breaches at financial institutions worldwide have fallen over the past 12 months, employee misconduct is a growing concern for these organizations. More than a third (36%) of respondents expressed concern about insiders' misconduct, compared to only 13% who are concerned about external threats. Furthermore, 6-in-10 (58%) of survey participants are concerned about their ability to protect their organization from internal cyber attacks.
"The challenge for IT security has always been innovation," said Steinhoff, "both in updating the core IT system for the next must-have electronic device and defending against the sophistication of criminals targeting financial institutions. While changes in new regulations might demand new investments, how you keep your infrastructure and technologies safe is something all institutions should be focused on in 2009. This will be a challenging year, no matter how you slice it."
Additional survey findings include:
- Phishing and pharming continue to be cited by respondents as causing one of the highest levels of concern, although the current techniques continue to evolve. This also ranks as the leading type of external breach experienced by respondents (22%).
- The growing popularity of social networks and the proliferation of mobile media such as USB keys, MP3 players and PDAs are causing an extra load on internal and external security. Interestingly, more than half of financial institutions surveyed now restrict the use of social networks and instant messaging (53% and 58%, respectively).
- Respondents' top three information security priorities are: security regulatory compliance and, tied in second place, access and identity management and data protection and information leakage.
- The leading drivers for respondents to protect the privacy of their clients are regulatory privacy requirements (79%) followed by reputation and brand concerns (70%).
The Deloitte Touche Tohmatsu survey is based on interviews with senior security officers from the world's top global financial institutions. The respondents represented public and private organizations from 32 countries.