Security trends

The 2007 Global Security Survey conducted by Deloitte shows some interesting and surprising trends in information security practices within the region.

Chris Rowland

Chris Rowland

The survey reveals the security paradox – a situation in which business executives are becoming more aware of information security issues, but the support for a solution remains with the organisation’s IT department.

The survey reveals that only 63 per cent of all respondents have an information security strategy, and only 10 per cent have their information security directed by a business line leader.

In the Caribbean and Latin American region, where participants represented 23 per cent of the pool of respondents (the second highest after EMEA), fewer security breaches were reported in the last 12 months than the reported global average. The level of repeated internal and external attacks in the region indicates a drop from the survey results of the previous year, at 23 per cent and 63 per cent respectively.

Regional respondents to the survey also believe that information security has risen to the C-suite or board level as a critical area of business (88 per cent) and feel that organisations in the region presently have both the required skills and competencies to respond to security requirements; a response that is the second highest of all regions surveyed. A large majority (89 per cent) believe that government-driven security regulations ‘are effective in improving security posture in their industry’ and 64 per cent indicate organisations ‘having both the commitment and funding to address regulatory requirements.’

The region is second only to the USA for including security as a component of the appraisal of IT security employees.

However, despite the lower number of reported security breaches and other improvements over previous year’s survey results, participants in the region lag behind in other categories surveyed. Organisations in the Caribbean and Latin America reported that they represent the least number of executives responsible for privacy or programs for managing privacy compliance. This finding is surprising considering that there is a complex range of standards which must be achieved, both in terms of regulatory requirements and those relating to customer and employee expectations. Furthermore, it is noted that the region reported the fewest number of organisations whose employees have received at least one training and awareness session relating to information security and privacy in the last 12 months.

A robust enterprise wide awareness and training program is paramount to ensuring that employees understand their IT security responsibilities, organisational policies, and how to properly use and protect the IT resources entrusted to them.

A common finding in the survey with regard to security breaches is that people remain the weakest link. Employees, customers, third parties and business partners are all privy to an organisation’s information to varying degrees. As a result each individual represents a potential risk to the organisation’s IT security. In 2007, 65 per cent of respondents reported repeated external breaches. The top three breaches (those that were repeated the greatest number of times) were viruses and worms; e-mail attacks (e.g. spam); and phishing and pharming, all of which being perpetrated via the customer. For example, a customer receives an electronic, official-looking request on what appears to be their bank’s letterhead, requesting sensitive information (e.g. account information, passwords, etc.). By e-mailing back that information, the customer has effectively granted the requesting party access to their personal financial data and potentially access to IT systems at the financial institution.

Every year, this survey demonstrates the progress that has been made in security over the previous 12 months. While the threats are not diminishing but are in many cases ‘reinventing’ themselves, the statistics represent major progress in the industry, progress which in the main is the result of proactive – rather than reactive – measures.

Chris Rowland is a senior manager at Deloitte in the Cayman Islands. He is an experienced IT security professional and is a member of the International Association of Computer Investigative Specialists. Chris is the holder of the IACIS Certified Forensic Computer Examiner qualification and a Certified Fraud Examiner.

About the survey

The 2007 Deloitte Global Security Survey for Financial Institutions reports on the outcome of focused discussions between Deloitte member firms Security and Privacy professionals and Information Technology executives of top global FSI’s.