Internal hackers pose the greatest threat to the IT
systems of the world's largest financial institutions, according to the 2005
Global Security Survey released today by the financial services industry
practices of
Deloitte
Touche Tohmatsu.
Over a third of respondents admitted to having fallen victim to internal hack
attacks during the past 12 months (up from 14 per cent in 2004) compared to 26
per cent from external sources (up from 23 per cent in 2004).
Instances of phishing and
pharming, in which hackers lure people into disclosing
sensitive information using bogus emails and websites, rocketed during the past
year, underscoring the human factor as "a new and growing weakness in the
security chain".
The study noted that the shift in tactics to exploit humans, rather than
technological loopholes, is explained by the improved use
of IT security systems.
This includes the increased deployment of antivirus
systems (98 per cent compared with 87 per cent in 2004),
virtual private networks (79 per cent compared with 75
per cent) and content filtering and monitoring (76 per cent compared with 60 per
cent).
"Financial institutions have made great progress in deploying technological
solutions to protect themselves from direct external threats," said Adel Melek,
a partner in the Canadian member firm of Deloitte Touche Tohmatsu.
"But the rise and increased sophistication of attacks
that target customers, and internal attacks, indicate that there are new threats
that have to be addressed.
"Strong customer authentication, training and increased awareness can play a
significant role in narrowing this gap."
However, the survey results show that security training and awareness have
yet to top the agenda of chief information security officers, as less than half
of respondents have training and awareness initiatives scheduled for the next 12
months.
Training and awareness was at the bottom of the security initiatives list,
far behind regulatory compliance (74 per cent) and
reporting and measurement (61 per cent).
The findings aligned with financial institutions' future investment plans in
security, with 64 per cent of money set aside for security tools, compared with
only 15 per cent for employee awareness and training.
Ted DeZabala, a principal in the security services group at Deloitte &
Touche LLP, said: "With threats such as identity theft,
phishing and pharming on the rise, organisations should be implementing identity
management solutions encompassing access, vulnerability, patch and security
event management.
"These solutions should be augmented by security training and awareness if
organisations are to minimise the number of human behavioural threats.
"Clearly, continued vigilance is needed to meet and exceed the requirements
and truly protect corporate data from security threats."
Do you agree?
Have your say on this article