Leading financial institutions experienced a huge surge in the number of security attacks over the past year, specifically from external sources, according to the Deloitte 2006 Global Security Survey released today.
Deloitte Security partner, Julie Priest said more than three-quarters (78 percent, up from 26 percent in 2005) of the world's leading 150 institutions surveyed confirmed a security breach from outside the organization.
"Almost half (49 percent, up from 35 percent in 2005) experienced at least one internal breach - confirming last year's survey findings that internal breaches are an increasing threat," she said.
The fourth annual survey found that the top three most common attacks the global financial industry experienced over the past 12 months, both externally and internally, aimed to extort for some form of monetary gain.
"Phishing and pharming accounted for more than half (51 percent) of the external attacks, followed by spyware or malware utilization (48 percent).
"Insider fraud (28 percent) and leakage of customer data (18 percent) were cited by respondents as among the top three most common internal breaches."
Priest said the extent and nature of these security breaches signal a new reality for the global financial industry.
"Execution and exploitation of these attacks require significant resources and coordination, which implies professional hackers and organized crime have entered the domain once ruled by 'script kiddies' and one-off hackers.
"This shift in trend means organizations not only face more sophisticated and hard to track attacks, but are also challenged by increased risk and potential losses. Financial institutions should take these factors into account in their overall security strategy."
"However, the shift to a more sinister criminal profile of online attackers and the potential risk they represent did not go unnoticed by the financial services sector, with evidence that financial institutions have started taking steps to fend off these threats."
Deloitte partner and security specialist, George Stathos said that this year, identity theft and account fraud (58 percent), along with identity and access management (41 percent) made their way into the top five security initiatives for 2006.
"Another indication of the financial industry's fast response to current events and emerging threats was the presence of disaster recovery and business continuity (49 percent) among the top five security initiatives," Stathos said.
"The importance of a business continuity plan, following the recent string of natural disasters around the globe, is shown by 88 percent of organizations confirming that they have put in place an enterprise-wide business continuity management program."
Priest added that Deloitte's survey shows that financial institutions are attentive to the fast-paced and changing security environment.
"They are shifting priorities and starting to take necessary measures to mitigate the various security risks and challenges. However, while it is only natural to shift focus to the most imminent, emerging threats, organizations should avoid being blindsided and must strive to maintain a balanced, more holistic approach to their security operations and initiatives," she said.
Interestingly, security awareness and training dropped off the top five initiatives this year. While 96 percent of respondents were concerned about employee misconduct involving IT systems, only a third (34 percent) have provided their staff with some form of information security and privacy training over the past 12 months. The most common mediums that financial institutions use for security training and awareness are Web page alerts and e-mails (63 percent). Other, perhaps more effective methods, such as orientation training (35 percent) and recognition of exemplary behaviour (9 percent), ranked low in use.