Professional Hackers Target World Finance

Media release
19 July 2006

Professional Hackers and Organised Crime Target World’s Largest Financial Institutions

The world’s largest financial institutions experienced a surge in the number of security attacks over the past year, specifically from external sources. More than three-quarters (78%, up from 26% in 2005) of respondents confirmed a security breach from outside the organization and almost half (49%, up from 35% in 2005) experienced at least one internal breach. These findings are drawn from the 2006 Deloitte Global Security Survey.

The fourth annual survey consisted of interviews with senior security officers from the world’s top global financial institutions and acts as a global benchmark for the state of IT security and privacy in the financial services sector.

Among the top three most common attacks the global financial industries experienced over the past 12 months, both externally and internally, were originated to extort some form of monetary gain. Phishing and pharming were attributed for more than half (51%) of external attacks, followed by spyware/malware utilization (48%). Insider fraud (28%) and leakage of customer data (18%) were cited by respondents among the top three most common internal breaches.

“The extent and nature of these security breaches signal a new reality for the global financial industry. Execution and exploitation of these attacks require significant resources and coordination, which implies professional hackers and organised crime have entered the domain once ruled by ‘script kiddies’ and one-off hackers,” says Rodger Murphy Deloitte’s New Zealand leader of IT Risk Management & Security Services.

“This trend shift means organisations not only face more sophisticated and hard to track attacks, but are also challenged by increased risk and potential loss. Financial institutions should take these factors into account in their overall security strategy.”

The shift to a more sinister criminal profile of online attackers and the potential risk they represent did not go unnoticed by the financial services sector, with evidence that they have started taking steps to fend-off these threats. This year, identity theft and account fraud (58%), along with identity & access management (41%), made their way into the top five security initiatives for 2006. Another indication of the financial industry’s fast response to current events and emerging threats is the presence of disaster recovery and business continuity (49%) among the top five security initiatives. The importance of a business continuity plan, following the recent string of natural disasters around the globe, is reflected by the impressive proportion of organisations 88% that confirmed having an enterprise-wide business continuity management program in place.

“Deloitte’s survey shows that financial institutions are attentive to the fast-paced and changing security environment. They are shifting priorities and starting to take necessary measures to mitigate the various security risks and challenges,” adds Rodger Murphy.

“While it is only natural to shift focus to the most imminent, emerging threats, organisations should avoid being blindsided and must strive to maintain a balanced, more holistic approach to their security operations and initiatives.”

Interestingly, security awareness and training is one of the initiatives that dropped off the top five list from the previous survey. While 96% of respondents were concerned about employee misconduct involving IT systems, only a third (34%) have provided their staff with some form of information security and privacy training over the past year. The most common medium financial institutions use for security training and awareness are web page alerts and emails (63%). Other, perhaps more effective methods, such as orientation training (35%) and recognition of exemplary behaviour (9%), ranked low in utilization.

Additional key findings of the survey:

- 95% of participants indicated their information security budget grew over the past year. Logical access control products topped the list of security budget spending (76% of respondents).
- Almost three-quarters (72%) of financial institutions who experienced security breaches indicated the estimated amount of damage for the organisation, including direct and indirect costs, was in the range of $1 million (U.S.).
- This year, 71% of respondents indicate that they have a defined information security governance structure (e.g. defined responsibilities, policies and procedures) while 24% are in the process of establishing one.
- The number of financial institutions who have formulated an information security strategy has declined to 61% while another 21% indicate that they are in the process of formulating or refreshing one for their organisation.
- Two-thirds (65%) of respondents confirmed having a program to manage privacy, down by 3% from last year.

Regional Highlights

Asia Pacific excluding Japan (APAC): APAC was among the leading regions in the implementation of enterprise-wide business continuity management programs and managing privacy compliance (92% and 85%, respectively), likely as a result of the recent natural disasters that have struck the region. However, in other areas of information security, such as appointing a CISO (23%) and possessing a security strategy (33%), the region is lagging behind the rest of the world. Furthermore, all respondents from the APAC region confirm encountering at least one information security breach over the past year.

ENDS