Banks increase information security budgets as threats evolve

Banks increase information security budgets as threats evolve

Despite the global economic downturn over the last two years, most financial institutions increased their information security budget in 2010 as they faced up to new, often internal, threats, according to a global survey from Deloitte.

The poll of over 350 information and technology risk staff shows 56% received a budget increase for this year although the figures reveal massive geographical discrepancies, with 75% of respondents in Canada getting more money, compared to just 16% in Japan. Only 36% say that a lack of significant budget is a major barrier at their organisation, down from 56% last year.

Meanwhile, with a spate of recent high-profile code thefts at firms such as Goldman Sachs and Societe Generale, hitting the headlines, identity and access management is cited by survey respondents as the industry's top security initiative for 2010.

Among 19 different types of initiatives, 44% list this as number one; it is also a significantly higher priority for larger organisations with more than 10,000 employees - 63%.

The survey also shows that just 34% of respondents are "very confident" in their ability to thwart internal data breaches, compared to 56% for external threats.

For most respondents the biggest internal threats are the result of human failings - carelessness, laziness, forgetfulness - rather than deliberate, malicious actions. A total of 42% rate the threat from non-intentional loss of sensitive data as high, compared to 33% who think the danger is as great from employee abuse of IT systems and information and 15% who are concerned about insider and rogue trading.

External threats are still a concern, with 42% rating the increased sophistication and proliferation of threats as of high concern. Phishing and pharming is rated as a high level threat by 35% with 33% expressing the same level of worry about external financial fraud involving information systems.

Respondents are not only concerned about security threats but also the related increased regulatory pressure, with compliance included as one of their top five initiatives. Many are hiring more internal auditors to resolve internal and external audit findings in preparation for new rules.

This combination of new threats and greater regulatory pressure appears to be spurring financial institutions to become increasingly bold in their attitudes to emerging technologies. For the first time in the history of the survey, the greatest number of respondents (40%) call themselves "early majority adopters" when it comes to security technology.

Early majority adopters are not willing to take the same risks as innovators (just six per cent of respondents) or early adopters (20%) but are ahead of the late majority mainstream (31%).

Deloitte says this shift indicates a major breakthrough in the thinking of firms as they move from reactive to proactive. "Given the risk landscape and the increasing sophistication of threats, organisations are no longer content to adopt only when the mainstream does," says the report.

More than 70% of respondents are planning to implement at least one new information security-related technology in the next 12 months. In addition to encryption, data loss prevention will be the most piloted technology in the next 12 months. Other technologies set for pilots include enterprise single sign on, file encryption for mobile devices, e-mail encryption and network access control.

"Organisations are starting to recognise the importance of the information security function to business. The increasing sophistication of faceless threats, the change in the threat agents and players, and the decreasing level of competence required to pose a threat due to the availability of fraud tools on the Internet are all factors that have caused financial services organisations to evolve their security practices in many areas. The security environment is undergoing a metamorphosis," says Deloitte's Adel Melek.

Comments: (0)