Internal attacks increasing

Internal information security attacks are out-growing external attacks at the world’s largest financial institutions, according to the 2005 Global Security Survey released by the Deloitte Touche Tohmatsu.

Thirty five percent of respondents confirmed encountering attacks from inside their organisation within the last 12 months (up from 14 per cent in 2004) compared to 26 percent from external sources (up from 23 per cent in 2004).

The third annual Global Security Survey acts as global benchmark for DTT and its member firms for the state of I.T. security in the financial sector and consisted of interviews with senior security officers from the world’s top 100 global financial institutions.

Phishing and pharming (luring people to disclose sensitive information by using bogus emails and websites) were two new additions to the top security threats financial institutions faced in the past year, highlighting the human factor as a new weakness in the security chain.

The trend shift from external to internal attacks and tactics, which exploit human behaviour vs. technological loopholes can be explained by the improved utilisation of I.T. security technologies, mainly by the increased use of anti-virus solutions (98 per cent vs. 87 per cent in 2004), Virtual Private Networks (79 per cent vs. 75 per cent) and content filtering and monitoring (76 per cent vs. 60 per cent in 2004).

‘Financial institutions have made great progress in deploying technological solutions to protect themselves from direct external threats, however the rise and increased sophistication of attacks, which target customers and internal attacks, indicate that there is a new threat that has to be addressed,’ says Jeremy Smith, Senior Manager, Enterprise Risk Services, Deloitte Cayman. ‘Strong customer’s authentication, training and increased awareness can play a significant role in narrowing this gap.’


However, as survey results show, security training and awareness has yet to top the agenda of Chief Information Security Officers, as less than half (46 per cent) of respondents have training and awareness initiatives scheduled for the next 12 months.

Training and awareness was at the bottom of the security initiatives list, far behind regulatory compliance (74 per cent) and reporting and measurement (61 per cent).

These findings also align with financial institutions’ future investment plans in security, with the most money targeted for security tools (64 per cent) compared to only 15 per cent for employees awareness and training. There are very few financial institutions that have any plans for customer’s security awareness.

‘In an attempt to minimise the human risk factor, financial institutions have been focusing on enterprise-wide solutions.’ said Derek Mendez, Senior Manager, Enterprise Risk Services, Deloitte Cayman. ‘With threats such as identity theft, phishing and pharming on the rise, organisations should be implementing identity management solutions, encompassing access, vulnerability, patch and security event management. These solutions should be augmented by security training and awareness if organisations are to minimise the number of human behavioural threats.’


The survey, conducted through face-to-face interviews and on-line questionnaires by the Financial Services Industry practices of DTT’s member firms, focused on senior information technology executives (Chief Security Officer, Chief Information Officer, Security Management Team etc.) of many of the top 100 global financial services organizations.

Questions related to governance, investment, value, risk, use of security technologies, quality of operations, and privacy.

The respondents represented public and private companies from all regions of the world including: Americas, Europe/Middle East/Africa, Asia/Pacific the Caribbean and Latin America.

For further information, or to view the survey in its entirety visit our website at

Operating in the Cayman Islands since 1973, Deloitte is a member firm of Deloitte Touche Tohmatsu. With 7 Partners and 150 professional and support staff, the Cayman Islands practice delivers services in four professional areas: audit, tax, consulting, and financial advisory services.