Survey: information security lacking

While information security incidents continue to grab the attention of business executives, ownership of the underlying problems is still perceived to rest with IT, according to a new Deloitte Touche Tohmatsu survey.

Less than two thirds (63 per cent) of respondents to DTT?s 2007 Global Security Survey have an information security strategy. Only 10 per cent of this year’s respondents have their information security led by business line leaders.

These findings support an emerging security paradox: the gap between awareness of the problem and support for the solution. The survey also revealed that the greatest root cause of external breaches continues to be the human factor: An organization’s employees, customers, third parties and business partners, states a press release.

‘The contradictory findings in this year’s survey highlight the security paradox financial institutions are facing,’ says Chris Rowland, Enterprise Risk Services senior manager at Deloitte & Touche. ‘On the one hand, it is clear that respondents have identified the major security issues and the necessary actions they must take to improve security and privacy practices. On the other hand many financial institutions are falling behind when it comes to taking action.’

One of the elements most worrisome for organisations when it comes to breaches is customers.

The DTT survey found that the top three breaches (those that were repeated the greatest number of times) were viruses and worms; e-mail attacks, e.g. spam; and phishing/pharming. All of these breaches are perpetrated via the customer, e.g. customers as unwitting providers of sensitive information and conduits into financial institutions. But even though financial institutions are directly affected by these types of breaches, they are still reluctant to take responsibility for the security of their customers’ computers.

When asked whether they should be held accountable for protecting the computers of their customers who do online business with them, two thirds of respondents (66 per cent) replied that they should not.

The DTT survey reveals that a high number of repeated occurrences of breaches can be attributed to employees: both misconduct (intentional action) and errors and omissions (unintentional action). An overwhelming majority of respondents (91 per cent) are concerned about employees and cite the human factor as the root cause for information security failures (79 per cent).

But while errors and omissions on the part of employees are identified as a major security issue, almost a quarter (22 per cent) of respondents provided no employee security training over the past year and only one-third of respondents (30 per cent) say their staff is well skilled with adequate competencies to respond to security needs.

‘Despite these gaps, identifying the problem is at least half the battle and so financial institutions are definitely moving in the right direction to close these gaps,’ adds Jeremy Smith. ‘Security training and awareness, along with access and identity management of employees, clients and suppliers, and data protection are among organizations? top initiatives this year, as they fight to keep pace with the ever-changing threat landscape.’

Additional key findings of the survey:

• E-mail attacks top the list of external security breaches financial institutions experienced over the past 12 months (57 per cent).

• Two-thirds (66 per cent) of respondents do not feel they should be accountable for protecting the computer of customers who bank on-line.

• Virtually all respondents (98 per cent) indicate increased security budgets, but 35 per cent feel that their investment in information security is lagging behind business needs.

• Shifting priorities and integration problems were identified as top reasons for information security projects failure (48 per cent and 32 per cent, respectively).


The survey, conducted via face-to-face interviews and on-line questionnaires by DTT?s Global Financial Services Industry group, focused on senior information technology executives (chief security officer, chief information officer, security management team, etc.) at many of the top 100 global financial services organizations. Questions related to governance, investment in security, risk, use of security technologies, quality of operations and privacy. The respondents represented public and private organisations from all continents, divided into five regions including: Europe, the Middle East and Africa, Commonwealth of Independent States, Asia Pacific, North America, Latin America and the Caribbean. Due to the diverse focus of institutions surveyed and the qualitative format of the research, some results may not be representative of each identified region.