Beware the enemy within

22 Jun 2005

Despite the fact that internal computer security attacks are outpacing external threats at the world’s largest financial institutions, security training and awareness are being neglected by many companies, a new report shows.

The 2005 Global Security Survey released today by the Financial Services Industry practices of the member firms of Deloitte Touche Tohmatsu (DTT) suggests the trend is being driven by the ongoing improvements in IT security infrastructure that are making it more difficult to penetrate corporate networks. Some 35pc of respondents confirmed encountering attacks from inside their organisation within the past 12 months (up from 14pc in 2004) compared to 26pc from external sources (up from 23pc in 2004).

The third annual Global Security Survey ( consists of interviews with senior security officers from the world’s top 100 global financial institutions.

Phishing and pharming (luring people to disclose sensitive information by using bogus emails and websites) were two new additions to the top security threats financial institutions faced in the past year, highlighting the human factor as a new weakness in the security chain. The trend shift from external to internal attacks and tactics which exploit human behaviour (often referred to as ‘social engineering’ in security circles) versus technological loopholes, can be explained by the improved usage of IT security technologies, mainly by the increased use of antivirus solutions (98pc as against 87pc in 2004), virtual private networks (79pc versus 75pc) and content filtering and monitoring (76pc versus 60pc in 2004).

“Financial institutions have made great progress in deploying technological solutions to protect themselves from direct external threats, however the rise and increased sophistication of attacks that target customers and internal attacks, indicate that there is a new threat that has to be addressed,” said Gerry Fitzpatrick, enterprise risk services partner at Deloitte in Dublin. “Strong customer authentication, training and increased awareness can play a significant role in narrowing this gap.”

However, the survey also shows security training and awareness has yet to top the agenda of chief information security officers, under half (46pc) of whom have training and awareness initiatives scheduled for the next 12 months. In fact training and awareness was at the bottom of the security initiatives list, far behind regulatory compliance (74pc) and reporting and measurement (61pc). These findings also tally with financial institutions’ future investment plans in security, with the most money targeted for security tools (64pc) compared to only 15pc for employees’ awareness and training. There are very few financial institutions that have any plans for customer’s security awareness.

“In an attempt to minimise the human risk factor, financial institutions have been focusing on enterprise-wide solutions,” commented Gerry Fitzpatrick. “With threats such as identity theft, phishing and pharming on the rise, organisations should be implementing identity management solutions, encompassing access, vulnerability, patch and security event management. These solutions should be augmented by security training and awareness if organisations are to minimise the number of human behavioural threats.”

Commenting on the findings, Mary Fulton, financial services partner at Deloitte in Dublin, expressed concern “at the findings that only 36pc of respondents in EMEA said their employees have attended security awareness training programmes in the past 12 months, the lowest percentage across the globe”.

By Brian Skelly