Insider Threat Greatest at Financial Institutions

Internal attacks on information technology systems are surpassing external attacks at the world’s largest financial institutions, according to the 2005 Global Security Survey released yesterday by Deloitte Touche Tohmatsu (DTT).

Thirty-five percent of respondents confirmed encountering attacks from inside their organization within the last 12 months (up from 14% in 2004) compared to 26% from external sources (up from 23% in 2004).

The third annual Global Security Survey acts as global benchmark for DTT and its member firms for the state of IT security in the financial sector and consisted of interviews with senior security officers from the world’s top 100 global financial institutions.

The trend shift from external to internal attacks and tactics that exploit human behavior verses technological loopholes is explained by the improved utilization of IT security technologies; mainly by the increased use of anti-virus solutions (98% vs. 87% in 2004), virtual private networks (VPN) (79% vs. 75%) and content filtering and monitoring (76% vs. 60% in 2004).

“Financial institutions have made great progress in deploying technological solutions to protect themselves from direct external threats, however the rise and increased sophistication of attacks that target customers, and internal attacks, indicate that there are new threats that have to be addressed, said Adel Melek, a partner in the Canadian member firm of DTT and Global Leader of IT Risk Management & Security Services within Deloitte’s Global Financial Services Industry practice.

“Strong customer authentication, training and increased awareness can play a significant role in narrowing this gap.”

However, as survey results show, security training and awareness have yet to top the agenda of Chief Information Security Officers (CISO), as less than half (46%) of respondents have training and awareness initiatives scheduled for the next 12 months.

Training and awareness was at the bottom of the security initiatives list, far behind regulatory compliance (74%) and reporting and measurement (61%).

Additional key findings of the survey:

  • While close to half (48%) of respondents perceive lack of employee awareness as one of their top challenges, security training and awareness measurements implemented in the past 12 months declined from 77% in the previous survey to 65% this year.
  • Almost three-quarters (74%) of respondents outsource at least one IT function, but (27%) do not conduct regular assessments of the security outsourcer’s compliance with security requirements.
  • While 86% of organizations with a CISO indicated that this function reports directly to the board or to the C-suite, only about one-third of the organizations interviewed feel that security has been similarly recognized as a critical area of business.
  • Unrealistic timelines and budgets (56%) topped respondents’ list of common reasons for security project failures, followed by integration problems due to poor up-front design and architecture (48%) and lack of buy-in from business owners (34%).


The survey, conducted through face-to-face interviews and on-line questionnaires by the Financial Services Industry practices of DTT’s member firms, focused on senior information technology executives (Chief Security Officer, Chief Information Officer, Security Management Team, etc.) of many of the top 100 global financial services organizations.

Questions related to governance, investment, value, risk, use of security technologies, quality of operations and privacy. The respondents represented public and private companies from all regions of the world including the Americas, Europe/Middle East/Africa, Asia/Pacific and Latin America.