An examination of the state of IT security among the top 500 global financial institutions, chief security officers...
May 20, 2003
An examination of the state of IT security among the top 500 global financial institutions, chief security officers (CSO) and chief information security officers (CISO) found that more attacks are committed by external sources and not company insiders, according to a new study released today by Deloitte & Touche LLP.
The study also contains alarming news about Canadian respondents. While rating themselves as highly as U.S. respondents on use of security tools, adoption of new technologies, performance of ethical hacking and penetration testing, Canadians had the least deployment of biometrics and the lowest rate of security standards adoption among other regions.
Canadians were relatively less concerned over availability of qualified security resources, budgets and the increased sophistication of threats, the consulting firm noted.
Thirty-nine percent of respondents that experienced a security breach within the past year stated that only 10 per cent of the attacks originated internally — contradicting common belief that the vast majority of cyber crime originates from within the organization rather than an external attack.
Overall, global financial institutions have implemented a variety of information security practices and technologies, maintained or increased security budgets and boosted IT security staffing levels despite the worldwide economic downturn, according to the study.
For example, 80 per cent of respondents have a formal information security strategy in place. Moreover, 61 per cent of organizations either have a Chief Security Officer (CSO) or Chief Information Security Officer (CISO). Chief security officers, however, still see room for improvement in establishing privacy standards and shoring up defenses against all external threats.
“Considering other studies in recent years have shown that nearly 80 to 90 per cent of Fortune 500 companies and government agencies have experienced a security breach in the past twelve months, 39 per cent may seem low," said Adel Melek, a Deloitte & Touche partner.
"However, these are financial institutions that generally have higher standards of security to uphold. This study, while demonstrating the progress of the financial services industry, also reveals how vulnerable even the most secure organizations are, and how much work still needs to be done.”
Strong regional differences in attitudes toward security surfaced in the results. As an example, U.S. respondents reported the highest implementation levels of all regions of every security measure except for the adoption of security and privacy standards, and the use of biometrics and public key infrastructure (PKI).
Respondents from organizations in Europe, the Middle East and Africa (EMEA) were motivated by fear of exposure and the demand for compliance to differing laws and regulations, but employed the least use of ethical hacking and network penetration testing.