Financial Firms Experience More External IT Security Attacks

For the study, released Tuesday, Deloitte & Touche's Global Financial Services Industry and Enterprise Risk Services practices interviewed senior IT executives at 78 of the top 500 global financial institutions. Thirty-nine percent of the respondents said their company experienced a security breach in the past year, and executives said only 10 percent of the attacks originated internally. That finding contradicts a popular belief that most cybercrime arises from within an organization, according to Deloitte & Touche.

Only 5 percent of the executives polled--who included CIOs, chief security officers and IT directors--said they were "extremely confident" about how well their company's systems are protected from internal attacks. Yet 43 percent said they felt "very confident" that backups would work or are being stored off-site safely.

Despite the sluggish global economy, financial institutions have weaved a variety of IT security technologies and practices, upheld or hiked security budgets, and ramped up IT security staffing, the study found. About 80 percent of respondents said they have a formal IT security strategy in place. In addition, security typically accounts for 6 percent to 8 percent of a company's overall IT budget, and more than two-thirds of executives said management deems IT security a "necessary cost of doing business" instead of a discretionary expense.

Sixty-one percent of respondents said their company has a chief security officer or a chief information security officer. But chief security officers noted that there's room for improvement in establishing privacy standards and reinforcing defenses against all external threats, Deloitte & Touche said. Just 40 percent of executives surveyed said their institution has a chief privacy officer, and only 6 percent said they plan to appoint one in the next two years.

"This study, while demonstrating the progress of the financial services industry, also reveals how vulnerable even the most secure organizations are and how much work still needs to be done," Adel Melek, partner and global leader for Deloitte & Touche's Information Security & Privacy Services unit covering enterprise risk and global financial services, said in a statement.

And channel players have capitalized on those needs. Across financial services and other industries, solution providers have boned up companies' technological safeguards by implementing antivirus, firewall/VPN, intrusion detection, integrated security suites and appliances, PKI, smart card, antispam and secure wireless solutions. Many also have offered vulnerability assessment and security management services to help bolster customers' security/privacy policies and practices as well as their technical defenses.

"At the same time, there still seems to be a lack of clarity on the impact of multiple governance initiatives on information security and the role it will play in compliance," Ted DeZabala, principal and U.S. regional leader for Deloitte & Touche's Information Security & Privacy Services unit covering enterprise risk and global financial services, said in a statement. "Obviously, many still feel vulnerable to external and internal threats."