Internal hackers pose the greatest threat

A third of companies haven fallen victim to internal hack attacks

Internal hackers pose the greatest threat to the IT systems of the world's largest financial institutions, according to the 2005 Global Security Survey released today by the financial services industry practices of Deloitte Touche Tohmatsu.

Over a third of respondents admitted to having fallen victim to internal hack attacks during the past 12 months (up from 14 per cent in 2004) compared to 26 per cent from external sources (up from 23 per cent in 2004).

Instances of phishing and pharming, in which hackers lure people into disclosing sensitive information using bogus emails and websites, rocketed during the past year, underscoring the human factor as "a new and growing weakness in the security chain".

The study noted that the shift in tactics to exploit humans, rather than technological loopholes, is explained by the improved use of IT security systems.

This includes the increased deployment of antivirus systems (98 per cent compared with 87 per cent in 2004), virtual private networks (79 per cent compared with 75 per cent) and content filtering and monitoring (76 per cent compared with 60 per cent).

"Financial institutions have made great progress in deploying technological solutions to protect themselves from direct external threats," said Adel Melek, a partner in the Canadian member firm of Deloitte Touche Tohmatsu.

"But the rise and increased sophistication of attacks that target customers, and internal attacks, indicate that there are new threats that have to be addressed.

"Strong customer authentication, training and increased awareness can play a significant role in narrowing this gap."

However, the survey results show that security training and awareness have yet to top the agenda of chief information security officers, as less than half of respondents have training and awareness initiatives scheduled for the next 12 months.

Training and awareness was at the bottom of the security initiatives list, far behind regulatory compliance (74 per cent) and reporting and measurement (61 per cent).

The findings aligned with financial institutions' future investment plans in security, with 64 per cent of money set aside for security tools, compared with only 15 per cent for employee awareness and training.

Ted DeZabala, a principal in the security services group at Deloitte & Touche LLP, said: "With threats such as identity theft, phishing and pharming on the rise, organisations should be implementing identity management solutions encompassing access, vulnerability, patch and security event management.

"These solutions should be augmented by security training and awareness if organisations are to minimise the number of human behavioural threats.

"Clearly, continued vigilance is needed to meet and exceed the requirements and truly protect corporate data from security threats."