Bank security breaches mostly internal, say experts

Information security breaches at financial institutions, such as banks, are more often than not caused by an internal hacker or staff error, according to security industry experts.

A recent white paper from research firm IDC revealed that 90 per cent of breaches in security originate from within the company. The main sources for such breaches are spiteful employees, the survey showed.

According to a survey conducted last year by the Audit Commission, computer fraud and abuse is as likely to be carried out by a company director as an outside hacker. The survey found that 25 per cent of reported incidents of abuse are traced back to company managers in the public and private sectors.

Neil Barrett, technical director for Information Risk Management agreed: "Although there is a growing number of external hackers, over half of these types of cases are internal."

In addition, an earlier survey from Ernst & Young revealed that 32 per cent of firms reported data losses through malicious acts of insiders.

Paul Cronin, head of penetration testing at network security specialist Centurycom, said that banks are fully aware of the risks posed from external sources and have installed intrusion detection systems for the Internet.

"However, what they forget is the threats from internal sources - disgruntled employees etc - and this is where 80 per cent of security breaches come from," he said. "Most banks continue to assume that attacks always come from the outside. All banks are equally at risk if they continue to ignore the threats that their own staff pose for the security of sensitive information."

The Royal Bank of Scotland is the latest to be connected with an information security breach after confidential Conservative party bank account information found its way into the newspapers.

The police have been called in to help investigate the information leak and are investigating whether hacking, or some other security breach is responsible.

A spokesman for the bank vigorously denied any suggestions that the breach could have been made by an employee.