Financial firms focus on internal threats, employee errors

By Erin Kelly, Contributor 11 Feb 2009 | SearchFinancialSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

Banks and financial firms are placing more emphasis on internal threats to cut the flow of data leakage as a result of employee mistakes or workers disgruntled with layoffs and downsizing during the economic crisis, according to a recent survey.

SearchFinancialSecurity.com: To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The report, "Protecting What Matters: The Sixth Annual Global Security Survey," is based on a Deloitte survey of 250 CISOs in the financial-services industry. It found that 36% of respondents believe the internal threat represents the greatest risk to organizations, compared to 13% who said external threats are the biggest concern.

Mark Steinhoff, head of Deloitte's financial services security and privacy practices, said an organization's biggest mistake would be to let its guard down. While the number of security breaches may have declined over the last year, cybercriminals are not rationing back their efforts.

"The number of breaches that are occurring are really at the hands of insiders and organizations are understanding that there is a real threat of malicious attacks and exposure of personal information by insiders," Steinhoff said.

The failing economy may be driving the increased concern over insider threats, Steinoff said.

Assessing risk in hard times: Risk assessments: Internal vs. external: Risk assessments are a necessary function at financial firms, but how do you know whether to conduct them internally or to use a third party?   PCI costs slow compliance projects in down economy: PCI projects at some financial-services firms face scrutiny and funding shortfalls due to economy. Bank IT spending will grow only slightly: Risk will be the top concern for banks this year as they look to get more out of their risk management systems, research firm says.

"The climate we're in today causes concerns about disgruntled employees," he said. "We are seeing the layoffs and other forms of downsizing. Frankly with limited budget and less than satisfied employees, it really raises the parameter on that threat."

Human error is the leading cause of information systems failure, and is likely to be the main cause of security attacks in the near future, according to 86% of those surveyed. To protect against employee mistakes that lead to a breach, financial firms should focus on risk rather than compliance to protect themselves, Steinhoff said.

"[Organizations] need to look at what they want to protect and look at various types of threats internally and evaluate who has access to the data and who has access to which system, and approach it from that perspective," Steinhoff said.

Education and awareness training for internal employees is also critical for an information protection program and is often overlooked as budgets are skewed more towards process and technology, Steinhoff said.

"Education training and awareness are equally important for writing an overall effective end-to-end information security program," he said. "When you look at the majority of breaches that occur, yes there are threats but also there is human error -- people make mistakes, and education needs to be enforced and driven on a regular basis."

The CISOs surveyed indicated that data protection and information leakage, as well as identity and access management, were top priorities. Organizations have restricted the use of social networks and instant messaging due to the extra emphasis on internal threats, the survey found.

Some companies are limiting the use of social networks and instant messaging not only to protect data and prevent unwanted information distribution, but also because of the risk these tools bring to brand and reputation, Steinhoff said.

SearchSecurity radio:

"[Organizations] are concerned about the reputation risk associated with their name and employee's activities," he said. "It's a softer sort of threat or concern, but at the same time equally important."

The survey found the economy being a drag on some security initiatives. Budget constraints and lack of resources were noted as the biggest barriers for information security projects. Steinhoff said companies should consider using third-party service providers. With the new federal Red Flag rules and the Massachusetts' Personal Information Protection law, organizations need to step back and look at the most efficient and effective way to address those requirements, Steinhoff said.

"We find institutions may be duplicating efforts or spending money on various, complimentary and sometimes contradictory requirements, so being as smart as possible in addressing those aspects is very important."

Tags: Data breaches and prevention strategies,  Risk assessment and management in financial institutions,  Business partner and vendor security issues,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Data breaches and prevention strategies Bank computer technician indicted in identity theft scheme Survey: Consumers don't trust banks to keep their data secure ChoicePoint settles with FTC over second data security breach Data breach lawsuit puts spotlight on bank's security measures Google ordered to deactivate Gmail account after bank email error Threat of insider fraud growing with bad economy Data breach protection: Implementing vendor breach safeguards Zeus Trojan hitting banking customers hard TJX settles with banks for $525,000 RBS WorldPay agrees to market VeriFone end-to-end encryption Risk assessment and management in financial institutions Don't forget the cleaning crew in your vendor management program Shifting to a flexible information security framework Threat of insider fraud growing with bad economy Social engineering tests should make sense, not headlines How to combat the insider threat ACH fraud on the rise, experts say Social media: Risk management strategies for financial institutions Podcast: Detecting and investigating insider fraud Download presentations from Financial Information Security Decisions 2009 Two conversations about risk assessment Business partner and vendor security issues Don't forget the cleaning crew in your vendor management program Vendor contract management: Regulatory guidance is risk-based Vendor audit and monitoring contractual rights Data breach protection: Implementing vendor breach safeguards How to manage security risks in vendor contracts Vendor risk management: process and documentation Download presentations from Financial Information Security Decisions 2009 Advocacy group looks to foster trust in foreign service providers Shared Assessments aims to ease third-party security evaluations Security questions to ask SaaS vendors when outsourcing services

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Governance, Risk and Compliance  (SearchFinancialSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary