Security attacks on IT systems have more than doubled since last year. That’s what 100 IT chief security officers at financial institutions around the globe reported in a global survey compiled by Deloitte & Touche LLP. External security attacks on information technology systems at a sampling of the world’s leading financial institutions more than doubled from a year ago, according to those who responded to the rigorous global survey. Deloitte & Touche LLP is one of the nation’s leading professional services firms.
According to the survey, 83 percent of surveyed financial firms acknowledged their systems were compromised in the past year. That number compares with 39 percent in 2003. Of those firms that were attacked, 40 percent sustained financial losses.
“Financial institutions are fighting an ongoing battle to combat and mitigate ever-increasing security threats and attacks and privacy violations, as well as comply with the increasingly stringent regulatory environment,” said Ted DeZabala, a principal and national leader of security services at Deloitte & Touche LLP.
This survey marks the second year of what Deloitte & Touche plans to be an annual industry polling. The 100 organizations surveyed represented three categories. The largest category contained 31 of the top 100 Global Financial Services Institutions ranked by 2002 financial assets. The second category had 23 of the top 100 Global Banks ranked by Tier-1 Capital 2002. The third category had 10 of the top 50 Global Insurers ranked by 2002 financial assets.
Although the number of security attacks against financial institutions rose sharply in global terms, the United States had the smallest number of financial institutions reporting attacks — 24 percent. Canada, the second lowest-ranked of the five regions, had a tally almost double that of the United States, with 44 percent of its financial institutions suffering attacks.
The Asia-Pacific region topped the charts, with 71 percent of financial institutions there acknowledging attacks. The Latin America-Caribbean region reported 50 percent of its financial institutions on the receiving end of attacks, and the region composed of Europe, the Middle East and Africa experienced attacks on 47 percent of its financial institutions.
But DeZabala cautioned about reading too much significance into the raw statistics.
“My sense is that there is an upward trend of attacks globally. Those companies represented in the survey are global firms, so some of their reported attacks could have occurred in the U.S.,” he said. “Their ability to manage threats has to be compared to the rate of increase in threats.”
Additional Key Findings
The 2004 Global Security Survey revealed several trends that bear watching, analysts said. Among the findings were the following:
- More than half of the respondents said security is a key part of their strategy. But 10 percent reported that their general management perceives security as a business enabler.
- The majority of respondents said they have a comprehensive IT disaster recovery plan in place, but only half include personnel in their business continuity plans.
- One-third of respondents said they believe security technologies acquired by their organizations are not being utilized effectively.
- Only one-fourth of respondents said they think their strategic and security technology initiatives are well aligned.
- Identity management and vulnerability management were the two most common technologies that financial services said they are piloting or intend to deploy in the coming 18 months.
Survey Spotlights IT Concerns
The survey results show a significant shift in attitudes by high-level executives toward IT security issues in recent years, DeZabala told TechNewsWorld. Regulatory issues and user identity management concerns are taking on new importance. Both the user experience and the IT environment are becoming more efficient.
Despite those gains in the corporate setting, third-party access to corporate networks is becoming a huge administrative management problem.
“A lot of attention is being paid to this area now,” said DeZabala.
Lastly, security budgeting in general is a soft thing. “It requires a huge undertaking,” he said.
Despite the reported doubling of security attacks, more than one-fourth of financial institutions surveyed said their security budgets remained flat. Some 10 percent of the respondents said their companies slashed their online security budgets from the previous year.
The respondents also reported that they perceive their spending on security to be in line with other comparable organizations and in line with their own security plans.
However, DeZabala said he sees a larger picture than what the survey shows. Overall, at the big financial institutions, spending is on the rise.
“I take a more pragmatic [view] in assessing if statistics are valid. Financial institutions are starting to take IT issues seriously. Online security risks will continue to grow. Some financial institutions are keeping up; some aren’t,” said DeZabala regarding IT budgets.
Technology Lagging, Compliance Gaining
According to the survey, financial institutions are not keeping up with security technologies. More than 70 percent of the respondents identified viruses and worms as the likely greatest threat to their systems within the next year.
A total of 87 percent of respondents said they have fully deployed antivirus measures. This result is down from a response rate of 96 percent in last year’s survey.
On the regulatory front, however, more financial institutions are improving their compliance efforts. Two-thirds of respondents indicated they now have a program for managing privacy. That compares with 56 percent of respondents in 2003. In addition, nearly seven of 10 said they think senior management is committed to security projects needed to address regulatory requirements.
“Security threats such as viruses, worms, malicious code, sabotage and identity theft are real and have already cost millions of dollars in lost revenues to institutions globally,” said DeZabala.
New Solutions Needed
Financial firms need better methods to maintain online security, DeZabala told TechNewsWorld. Many companies are having a hard time with the time span between Internet vulnerabilities being announced and protections being applied. “Those events are becoming highly compressed,” he said. “Vulnerabilities are being discovered only after attacks are discovered.”
The current system of waiting for patches to be released and then installing them is not enough in today’s volatile virus and worm environment. “We need new security methods,” he said.
DeZabala likened the results of the survey of financial institutions to a report on the medical industry. The survey showed the online financial presence is generally healthy but not without some symptomatic sniffles.
The online financial industry is a lot like medical science, he said. There will always be some diseases cured while other sicknesses remain a threat. “That’s because some people are too creative and too lustful,” he concluded.