'

Internal attacks blighting banks

As the threats from outside decrease, financial services firms' security officers are seeing a massive rise in internal breaches

Financial services firms are facing more internal security breaches than external hacking and virus attacks, according to consultancy firm Deloitte.

Overall, the company's 2005 Global Security Survey found that security officers are doing a better job of defending their companies. Less than a third (28 percent) of respondents experienced an IT security breach in the last 12 months, a fall of 55 percent since last year.

Although finance companies have seen fewer external attacks, internal breaches more than doubled from 14 percent last year to 35 percent this year.

Mike Maddison, director of security services at Deloitte, said: "Financial institutions have dramatically reduced the number of external attacks by protecting themselves with antivirus software and content filtering, particularly at the perimeter of their networks.

"There's been an emphasis for some time on the never-ending battle to secure the corporate perimeter. As a result technological loopholes are being closed but the hackers' tactics have now shifted towards manipulating human behaviour as we've seen from the explosion in phishing attacks."

Of the 100 financial senior security officers surveyed, 65 said they had trained employees how to identify suspicious activity but only 6 percent did this at staff inductions. Less than half (46 percent) said they had awareness initiatives for employees scheduled for the next 12 months. The survey found that, when it comes to security spending, 64 percent of the budget is spent on technology compared to 15 percent for employee awareness and training.

Almost three-quarters of respondents outsource at least one IT job but around one in three fails to conduct regular assessments of the outsourcer's compliance credentials.

Maddison added: "I think that the proportion of internal attacks has increased more than we'd expected. Again, this comes down to making sure you properly vet staff, your patching is up to date, and antivirus is deployed effectively."