Deloitte: People are still weakest security link

Financial institutions should do more to tackle the human factor in security breaches, according to consultancy firm Deloitte
Written by Tom Espiner, Contributor

People remain the weakest security link for financial companies, according to consultancy firm Deloitte.

The compromising of customers' systems continues to be the major cause of security breaches in financial institutions, according to the 2007 Global Financial Services Security Survey.

In the EMEA region, 71 percent of financial services institutions have experienced repeated external breaches over the past 12 months, compared to 65 percent of financial services institutions worldwide. The major causes of external breaches were customers compromised by viruses and worms, and email attacks through spam, phishing and pharming.

However, a high percentage of security breaches were caused by employees. Thirty-one percent of EMEA financial institutions experienced repeated internal IT security breaches over the past year while, globally, the figure is 30 percent. Employee IT security breaches were caused by misconduct, intentional action, errors or omissions.

Business partners and third parties also represent a cause of computer security breaches, one example given being the loss of up to 48 million credit and debit card details from a "well-known discount retailer".

Deloitte called for the financial services sector to provide a concerted effort to educate customers, employees, third parties and business partners of IT risk.

"Until there is a concerted effort to provide tailored security knowledge and awareness programmes to all of the people who comprise an organisation's risk categories, organisations will continue to be at the mercy of the growing threat profile," stated the report.

Although errors and omissions by employees were identified as major factors contributing to ongoing security failures, almost a quarter (22 percent) of respondents provided no employee security training over the past year and only around one third of respondents (30 percent) say their staff is well skilled, with adequate competencies to respond to security needs.

Mike Maddison, Deloitte UK head of security and privacy services, said in a statement: "You can have the best technical systems in place but they are unlikely to operate effectively unless you educate people on their obligations and how to fulfil them."

The survey found that although information security issues are gaining board recognition, with 82 percent of global financial institutions saying security has become a "critical area of business", only 10 percent of them said their information security strategy was "led and embraced by line and functional leaders".

Deloitte called it an "emerging security paradox" that security incidents continue to "grab business executives' attention, but 'ownership' of the underlying problems is still perceived to rest with IT departments". The company also said it was "surprising" that less than two thirds (63 percent) of the banks that responded to the survey have an information security strategy in place.

Maddison said: "The contradictory findings in this year's survey highlight the ongoing security challenge financial institutions are facing. On the one hand, it is clear that senior executives know there are actions they must take to improve security to protect their customers' data for very good business reasons. On the other hand, when it comes to taking action, it once again becomes a technical problem. Despite these challenges, knowing that the problem exists is at least half the battle, so financial institutions are definitely moving in the right direction."

Editorial standards