Banks and financial firms are placing more emphasis on internal threats to cut the flow of data leakage as a result of employee mistakes or workers disgruntled with layoffs and downsizing during the economic crisis, according to a recent survey.
The report, "Protecting What Matters: The Sixth Annual Global Security Survey," is based on a Deloitte survey of 250 CISOs in the financial-services industry. It found that 36% of respondents believe the internal threat represents the greatest risk to organizations, compared to 13% who said external threats are the biggest concern.
Mark Steinhoff, head of Deloitte's financial services security and privacy practices, said an organization's biggest mistake would be to let its guard down. While the number of security breaches may have declined over the last year, cybercriminals are not rationing back their efforts.
"The number of breaches that are occurring are really at the hands of insiders and organizations are understanding that there is a real threat of malicious attacks and exposure of personal information by insiders," Steinhoff said.
The failing economy may be driving the increased concern over insider threats, Steinoff said.
"The climate we're in today causes concerns about disgruntled employees," he said. "We are seeing the layoffs and other forms of downsizing. Frankly with limited budget and less than satisfied employees, it really raises the parameter on that threat."
Human error is the leading cause of information systems failure, and is likely to be the main cause of security attacks in the near future, according to 86% of those surveyed. To protect against employee mistakes that lead to a breach, financial firms should focus on risk rather than compliance to protect themselves, Steinhoff said.
"[Organizations] need to look at what they want to protect and look at various types of threats internally and evaluate who has access to the data and who has access to which system, and approach it from that perspective," Steinhoff said.
Education and awareness training for internal employees is also critical for an information protection program and is often overlooked as budgets are skewed more towards process and technology, Steinhoff said.
"Education training and awareness are equally important for writing an overall effective end-to-end information security program," he said. "When you look at the majority of breaches that occur, yes there are threats but also there is human error -- people make mistakes, and education needs to be enforced and driven on a regular basis."
The CISOs surveyed indicated that data protection and information leakage, as well as identity and access management, were top priorities. Organizations have restricted the use of social networks and instant messaging due to the extra emphasis on internal threats, the survey found.
Some companies are limiting the use of social networks and instant messaging not only to protect data and prevent unwanted information distribution, but also because of the risk these tools bring to brand and reputation, Steinhoff said.
"[Organizations] are concerned about the reputation risk associated with their name and employee's activities," he said. "It's a softer sort of threat or concern, but at the same time equally important."
The survey found the economy being a drag on some security initiatives. Budget constraints and lack of resources were noted as the biggest barriers for information security projects. Steinhoff said companies should consider using third-party service providers. With the new federal Red Flag rules and the Massachusetts' Personal Information Protection law, organizations need to step back and look at the most efficient and effective way to address those requirements, Steinhoff said.
"We find institutions may be duplicating efforts or spending money on various, complimentary and sometimes contradictory requirements, so being as smart as possible in addressing those aspects is very important."