World’s Largest Financial Institutions Challenged by the ‘Security Paradox’
Petaling Jaya, October 24, 2007 – While information security incidents continue to grab the attention of business executives, “ownership” of the underlying problems is still perceived to rest with IT, according to a new Deloitte Touche Tohmatsu survey.
Less than two thirds (63%) of respondents to Deloitte’s 2007 Global Security Survey have an information security strategy. Only 10% of this year’s respondents have their information security led by business line leaders.
The survey’s findings support the claim of an emerging security paradox: the gap between awareness of the problem and support for the solution.In Asia Pacific, though all respondents have a programme for managing privacy compliance, only 7% presently have both the required skills and competencies to respond effectively to any security requirements and none have an information security strategy led by business line leaders.
“Malaysia is still behind in the area of managing privacy compliance,” said Jason Yuen, IT Security Director of Deloitte Malaysia’s Enterprise Risk Services group. “However, as public awareness improves, more firms will realise its importance. The risks of not having such programmes in place are too high for any business to face though the immediacy of such risks is difficult to judge.”
Martin Ng, Governance, Risk Management & Compliance Director of Deloitte Malaysia’s Enterprise Risk Services group, concurred. “In the Malaysian context where we intend to be an outsourcing hub, privacy compliance and how it is managed will be a key point of deliberation for potential outsourcers. For example, in India there have already been numerous identity theft cases and it’s definitely a growing concern there.”
The survey also revealed that the greatest root cause of external breaches continues to be the ‘human factor’: an organisation’s employees, customers, third parties and business partners. One of the elements most worrisome for organisations when it comes to breaches is customers. The survey found that the top three breaches (those that were repeated the greatest number of times) were viruses and worms; e-mail attacks, e.g. spam; and phishing/pharming.
All of these breaches are perpetrated via the customer, e.g. customers as unwitting providers of sensitive information and conduits into financial institutions. But even though financial institutions are directly affected by these types of breaches, they are still reluctant to take responsibility for the security of their customers’ computers, most likely because of the enormity of such an undertaking.
When asked whether they should be held accountable for protecting the computers of their customers who do online business with them, two thirds of respondents (66%) replied that they should not.In addition to breaches perpetrated through the customer channel, the survey reveals that a high number of repeated occurrences of breaches can be attributed to employees: both misconduct (intentional action) and errors and omissions (unintentional action).
An overwhelming majority of respondents (91%) are concerned about employees and cite the human factor as the root cause for information security failures (79%). But while errors and omissions on the part of employees are identified as a major security issue, almost a quarter (22%) of respondents provided no employee security training over the past year and only one-third of respondents (30%) say their staff is well skilled with adequate competencies to respond to security needs.
“The fact that only 7% of Asia Pacific’s respondents felt that they had sufficient skills and competencies to handle security requirements is worrying. Having said that, it is difficult for Malaysian firms to obtain the skills and talent required as demand far outstrips availability. The situation gets even tighter when you factor in that foreign firms are also looking at Malaysian talent for their needs,” Yuen said.
Also a problem is that none of Asia Pacific’s respondents have an information security strategy that is led and embraced by line and functional business leaders. “The tone set by business leaders is critical while the execution of the strategy requires stakeholders of every level to play their role. Company leaders need to be educated on the need for a better information security strategy,” Ng said.
“Despite these issues, identifying them is at least half the battle and so financial institutions are definitely moving in the right direction to close the gaps,” added Yuen. “Security training and awareness, along with access and identity management of employees, clients and suppliers, and data protection are among organisations’ top initiatives this year, as they fight to keep pace with the ever-changing threat landscape.”
Additional key findings of the survey:
· E-mail attacks top the list of external security breaches financial institutions experienced over the past 12 months (57%).
· Two-thirds (66%) of respondents do not feel they should be accountable for protecting the computer of customers who bank on-line.
· Virtually all respondents (98%) indicate increased security budgets, but 35% feel that their investment in information security is lagging behind business needs.
· “Shifting priorities” and “integration problems” were identified as top reasons for information security projects failure (48% and 32%, respectively).
Regional highlightsAsia Pacific excluding Japan (APAC):
Though a majority of the respondents (78%) feel that security has captured the attention of the C-suite as a critical area of business, none of the respondents indicated that they have an information security strategy led and embraced by their line and functional business leaders. While all the respondents have some sort of program for managing privacy compliance, only seven percent of participants, the lowest level among all regions, felt they presently have the required skills and competencies to effectively handle existing and foreseeable security requirements.
No comments:
Post a Comment