Deloitte: People are still weakest security link

Deloitte: People are still weakest security link

Summary: Financial institutions should do more to tackle the human factor in security breaches, according to consultancy firm Deloitte

TOPICS: Security

People remain the weakest security link for financial companies, according to consultancy firm Deloitte.

The compromising of customers' systems continues to be the major cause of security breaches in financial institutions, according to the 2007 Global Financial Services Security Survey.

In the EMEA region, 71 percent of financial services institutions have experienced repeated external breaches over the past 12 months, compared to 65 percent of financial services institutions worldwide. The major causes of external breaches were customers compromised by viruses and worms, and email attacks through spam, phishing and pharming.

However, a high percentage of security breaches were caused by employees. Thirty-one percent of EMEA financial institutions experienced repeated internal IT security breaches over the past year while, globally, the figure is 30 percent. Employee IT security breaches were caused by misconduct, intentional action, errors or omissions.

Business partners and third parties also represent a cause of computer security breaches, one example given being the loss of up to 48 million credit and debit card details from a "well-known discount retailer".

Deloitte called for the financial services sector to provide a concerted effort to educate customers, employees, third parties and business partners of IT risk.

"Until there is a concerted effort to provide tailored security knowledge and awareness programmes to all of the people who comprise an organisation's risk categories, organisations will continue to be at the mercy of the growing threat profile," stated the report.

Although errors and omissions by employees were identified as major factors contributing to ongoing security failures, almost a quarter (22 percent) of respondents provided no employee security training over the past year and only around one third of respondents (30 percent) say their staff is well skilled, with adequate competencies to respond to security needs.

Mike Maddison, Deloitte UK head of security and privacy services, said in a statement: "You can have the best technical systems in place but they are unlikely to operate effectively unless you educate people on their obligations and how to fulfil them."

Sentry Posts Blog

Sentry Posts Blog

Guarding the network

What you need to know — and what you and your peers have to tell us — about security management in our new community group blog

Read more

The survey found that although information security issues are gaining board recognition, with 82 percent of global financial institutions saying security has become a "critical area of business", only 10 percent of them said their information security strategy was "led and embraced by line and functional leaders".

Deloitte called it an "emerging security paradox" that security incidents continue to "grab business executives' attention, but 'ownership' of the underlying problems is still perceived to rest with IT departments". The company also said it was "surprising" that less than two thirds (63 percent) of the banks that responded to the survey have an information security strategy in place.

Maddison said: "The contradictory findings in this year's survey highlight the ongoing security challenge financial institutions are facing. On the one hand, it is clear that senior executives know there are actions they must take to improve security to protect their customers' data for very good business reasons. On the other hand, when it comes to taking action, it once again becomes a technical problem. Despite these challenges, knowing that the problem exists is at least half the battle, so financial institutions are definitely moving in the right direction."

Topic: Security

Tom Espiner

About Tom Espiner

Tom is a technology reporter for He covers the security beat, writing about everything from hacking and cybercrime to threats and mitigation. He also focuses on open source and emerging technologies, all the while trying to cut through greenwash.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


1 comment
Log in or register to join the discussion
  • This is not IT's job but IT can help.

    It seems to me this is a burden being placed on the wrong shoulders. There is not an It system in the world that can stop an individual taking information in their heads and spewing out at the nearest undesirable third party.
    It seem to me to be an HR issue whether their employees are dishonest or uneducated.
    What IT needs to deal with is the unintentional and design systems with security as the primary focus not a secondary after thought.
    Most IT systems are defending against the unknown rather that catering to the known and discarding the unknown. If that security is passive that reduces the stupidity factor. That is why car insurance firms drop their premiums on cars with automatic passive alarms.
    Also if the system is uneditable by the user that reduces the hack factor. Tie in with only the known devices getting into only those apps its allowed and not seeing the rest of the network, a bite is taken out of that risk percentage.
    It is time to lose the old paradigm VPN and move to a system where only those bits needed are let out through secure encrypted tunnels and everything else is blocked out. Get IT security simplified yet fortified.
    How secure would a network be if no one could snoop outside the area they were allowed.
    What if you could have built in a system where you could give someone your laptop, pass key, username and password ....and they still get nothing!
    Make the system simple so IT don