Survey Finds Higher Risk Of Data Breaches

Financial events, human factors and recent technology trends may expose global financial institutions, including insurers, to an increased risk of data breaches, according to a survey of international financial institutions' information security efforts.

Deloitte Touche Tohmatsu's sixth annual survey cited “tighter budgets, a greater concern over internal security breaches due to lower employee morale, and complacency after a decrease in overall attacks over the past year” as the reasons for the elevated risk.

“As the current crisis continues to deepen, financial institutions may look to save money by cutting IT budgets and reducing spending on security infrastructure,” said Mark Steinhoff, the leader of New York-based Deloitte's financial services security and privacy group and a contributor to the report.

He added that with consumer trust already waning, “it is important for financial institutions to be vigilant in protecting their data and implementing checks and balances to reduce the risk and potentially catastrophic consequences of security failures.”

With so many challenges confronting the industry this year, he noted that combating security breaches “should not fall by the wayside.”

While the survey found that 60 percent of respondents said their information security budgets increased in 2008–mostly in the range of 1-to-5 percent–Mr. Steinhoff said he expects 2009 budgets to be down, given cost containment efforts.

More than half the respondents (56 percent) said budgetary constraints and/or lack of resources were the leading barriers to ensuring information security. Lack of resources was identified by a third of respondents as the leading cause of failure of information security projects, Deloitte said.

“Security attacks that exploit human error and breaches caused by distracted or disgruntled employees may be the root cause of information security failures in coming months,” the researcher added.

He said the majority of respondents (86 percent) confirm that human error is the leading cause of information systems failure.

This finding recognizes that, while people are an organization's greatest asset, “they are also its weakest link, particularly in hard economic times when job insecurity and increased stress levels may lead employees to behave in atypical ways,” he noted.

According to Deloitte, while both internal and external security breaches at financial institutions worldwide have fallen over the past 12 months, employee misconduct is a growing concern. More than a third (36 percent) of respondents expressed concern about insiders' misconduct, compared to only 13 percent who are concerned about external threats. In addition, 58 percent of survey participants were concerned about their ability to protect their organization from internal cyber-attacks.

“The challenge for IT security has always been innovation,” Mr. Steinhoff said, “both in updating the core IT system for the next must-have electronic device and defending against the sophistication of criminals targeting financial institutions.”

While changes in new regulations might demand new investments, “how you keep your infrastructure and technologies safe is something all institutions should be focused on in 2009,” he said. “This will be a challenging year, no matter how you slice it.”

The Deloitte Touche Tohmatsu survey is based on interviews with senior security officers from the world's top global financial institutions, the researcher noted. The respondents represented public and private organizations from 32 countries.