Attacks on the Increase

External security attacks on information technology systems at a sampling of the world’s leading financial institutions more than doubled from a year ago, according to responses from a global survey of financial institutions by Deloitte & Touche LLP, one of the nation’s largest professional services firms.

Deloitte’s 2004 Global Security Survey, released Thursday, revealed that 83% of survey respondents acknowledged their systems had been compromised in the past year, compared to 39% in 2003.

Moreover, 40% of respondents whose systems were attacked said they sustained financial losses.

The survey, which provides insight into the state of security in the financial services industry, consisted of interviews with senior security officers from 100 of the top global financial institutions.

“Financial institutions are fighting an on-going battle to combat and mitigate ever-increasing security threats and attacks, and privacy violations, as well as comply with the increasingly stringent regulatory environment, said Ted DeZabala, a principal and national leader of Security Services for Deloitte.

“These institutions are under increased pressure to deliver a secure environment while also providing greater consumer access. There is a very fine balance between meeting such demands while maintaining the level of security needed to prevent and manage attacks.”

Despite the reported doubling of security attacks, more than a quarter of respondents said their security budgets remained flat, while nearly 10% had their budgets slashed from the previous year. Respondents reported they perceived their spending on security to be in line with other comparable organizations and in line with their own security plans.

The survey also showed declining use of security technologies. With more than 70% of respondents stating they believed viruses and worms to be the greatest threat to their systems within the next year, a total of 87% of respondents said they have fully deployed anti-virus measures. This result is down from a response rate of 96% from last year’s survey.

There is, however, encouraging news.

Financial institutions responding showed improved regulatory compliance efforts, with two-thirds indicating they now have a program for managing privacy, compared to 56% of respondents in 2003. In addition, nearly seven-of-10 felt that senior management is committed to security projects needed to address regulatory requirements.

“Security threats such as viruses, worms, malicious code, sabotage and identity theft are real and have already cost millions of dollars in lost revenues to institutions globally,” said DeZabala. “This is our second year conducting this survey, and we plan to continue doing this annually to help the financial services industry, as well as others that may benefit, better understand the increasing complex environment of security threats and possible counter measures available.”

Other key findings indicate:

  • Although more than half of respondents indicated security is a key part of their solution, only 10% reported that their general management perceived security as a business enabler.
  • The majority of respondents indicated they have a comprehensive IT disaster recovery plan in place, but only half of respondents included personnel within their business continuity plans.
  • One-third of respondents stated they believe security technologies acquired by their organizations are not being utilized effectively.
  • Only one quarter of respondents felt their strategic and security technology initiatives were well aligned.
  • Identity management and vulnerability management were the two most common technologies financial services are piloting or intend to deploy over the coming 18 months, according to the survey.
  • The survey, conducted in face-to-face interviews by Deloitte’s Global Financial Services Industry practice, focused on senior information technology executives (Chief Information Officer, Chief Security Officer, Security Management Team, etc.) from 100 of the top global financial services organizations.

    The questions, developed by the firm’s Security Services Group, related to governance, investment, value, risk, responsiveness, use of security technologies, quality of operations, and privacy. The respondents represented public and private companies from all continents reaching the four corners of the globe including: Canada, the United States, Europe/Middle East/Africa, Asia/Pacific and Latin America.

    This article was compiled and edited by CIO Update staff. Please direct any
    questions regarding its content to Allen Bernard, Managing Editor.