Internal attacks on IT systems are surpassing the threat from external hackers at the largest financial institutions, according to the 2005 Global Security Survey released by Deloitte Touche Tohmatsu (DTT).
The survey of senior security officers from the world's top 100 global financial institutions found that 35% had encountered attacks from inside the organisation in the last 12 months, up from 14% a year ago, compared to 26% from external sources, which is up from 23% in 2004.
DTT says the rise of phishing and pharming attacks positions bank customers as the weakest link in the security chain, rather than technology per se.
This is due in part to blanket use of security technology to protect against direct external threats to internal IT, says DTT. According to the research, 98% of firms use anti-virus technology, compared to 84% last year. Over three quarters (79%) of respondents said their firms had virtual private networks, while 76% have content filtering and monitoring technology in place, compared to 60% in 2004.
Ted DeZabala, a principal in the security services group of Deloitte & Touche, says firms should be implementing identity management solutions, encompassing access, vulnerability, patch and security event management but these solutions should be "augmented by security training and awareness if organisations are to minimise the number of human behavioural threats".
But security training and awareness have yet to top the agenda of chief information security officers. Although almost half of respondents (48%) cited the lack of employee awareness as one of their top security challenges, only 46% of respondents have security training and awareness initiatives scheduled for the next 12 months. Training and awareness was at the bottom of the security initiatives list, far behind regulatory compliance (74%) and reporting and measurement (61%).
Furthermore, firms' future investment plans in security show that most of the budget is assigned to technology (64%), compared to only 15% for employee awareness and training.