Survey Shows Online Security Breaches Have Doubled In The Financial Sector

A Deloitte & Touche study shows 83% of financial-services companies acknowledge an outside break-in, up from 39% the previous year.
Security attacks at major financial institutions more than doubled over a year ago, according to a survey of leading global banks, securities firms, and insurance companies.

The survey, released Thursday, is the second conducted by consulting firm Deloitte & Touche LLP. It showed that an amazing 83% of financial-services firms acknowledged that their IT systems had been compromised by attacks from the outside in the past year. In 2003, only 39% of the companies surveyed admitted to a breach.

In addition, 40% of the companies polled--which included a quarter of the world's top 100 banks, about a third of the top 100 financial-services firms, and 10% of the 100 largest insurance companies--said they had suffered financial losses due to the attacks.

"Security threats such as viruses, worms, malicious code, sabotage, and identity theft are real and have already cost millions of dollars in lost revenues to institutions globally," said Ted DeZabala, Deloitte's national managing partner for security services.

The dramatic increase in acknowledged attacks, said DeZabala, was due to a combination of factors. "There's definitely a lot more activity in terms of worms and viruses," he said. "And there's a lot more visibility into what's going on in security. What went undetected last year, or wasn't communicated up the chain of command, may have been spotted this year."

The acknowledgement of losses surprised DeZabala, who said that in the past, companies have been tight-lipped about the issue. "Security is one of those things that you really pay attention to when you lose money," he said, and theorized that firms are owning up to the problem to demonstrate how seriously they're now taking security.

But while the survey noted that attacks have doubled, it also spotted a substantial number of firms running contrary to the general rule of increased security spending. More than a quarter of the institutions said that their security budgets stayed flat over the past year, and nearly ten percent actually had their funds cut.

However, U.S.-based companies generally spend more than those in other countries, take security more seriously, and suffer fewer breaches. The reason: partly an overall heightened interest in security since 9-11, partly more stringent regulations related to security in legislation such as Sarbanes-Oxley.

Sixty-four percent of the U.S. companies polled, for instance, boosted their security budgets, the highest percentage of the five geographic areas Deloitte surveyed. And only a quarter of the financial institutions in the United States acknowledged a compromise of their IT systems, the lowest percentage reported.

But problems remain, even in the United State, and the financial industry has a long way to go to lock its IT. While banks generally lead the way in security, insurance companies are way behind.

As an example, DeZabala cited the high hopes firms once had for patch management.

"They thought that patch management was a solution which would deal with the increasing number of worms and viruses," said DeZabala. But that was overly optimistic. "It turned out that patch management was much more difficult than first believed, and now it seems that it won't solve the problem at all. Worms and viruses are coming out too fast for any patch management solution to be effective. They just don't work if worms are coming out in a matter of hours or even minutes after a vulnerability is made public."

One solution that financial firms are eager to implement is identity management, a technology that was among the top two to be deployed in the next 18 months.

"Identity management could solve a lot of control issue problems," said DeZabala, "and is something that financial institutions are picking up the pace."

Security in general, and identity management in particular, are increasingly important to financial firms as they boost their offshore outsourcing to countries such as India, said DeZabala. "Outsourcing complicates security. When institutions first contract with offshore firms, it may be only 50 or 100 people with direct access to the company's data," he said. "But if that offshore firm is purchased by another organization--which is happening in India, for example--all of a sudden, it's 30,000 people who have access. That's a big risk."

Another risk that wasn't specifically targeted by the survey--the rapid jump in phishing attacks--is also a major concern for banks, brokers, and other institutions that provide accounts and credit cards to customers. In his conversations with the companies polled, DeZabala heard that phishing is a "very large issue for most big financial service institutions. But it's a very, very difficult problem to solve, and one that doesn't lend itself to a systemic solution."