News Stay informed about the latest enterprise technology news and product updates.

Financial firms focus on internal threats, employee errors

Data protection, information leakage and identity and access management were a top priority for financial industry CISOs, according to a new survey.

Banks and financial firms are placing more emphasis on internal threats to cut the flow of data leakage as a result of employee mistakes or workers disgruntled with layoffs and downsizing during the economic crisis, according to a recent survey.
To get security news and tips delivered to your inbox, click here to sign up for our free newsletter.

The report, "Protecting What Matters: The Sixth Annual Global Security Survey," is based on a Deloitte survey of 250 CISOs in the financial-services industry. It found that 36% of respondents believe the internal threat represents the greatest risk to organizations, compared to 13% who said external threats are the biggest concern.

Mark Steinhoff, head of Deloitte's financial services security and privacy practices, said an organization's biggest mistake would be to let its guard down. While the number of security breaches may have declined over the last year, cybercriminals are not rationing back their efforts.

"The number of breaches that are occurring are really at the hands of insiders and organizations are understanding that there is a real threat of malicious attacks and exposure of personal information by insiders," Steinhoff said.

The failing economy may be driving the increased concern over insider threats, Steinoff said.

Assessing risk in hard times:
Risk assessments: Internal vs. external: Risk assessments are a necessary function at financial firms, but how do you know whether to conduct them internally or to use a third party?
PCI costs slow compliance projects in down economy: PCI projects at some financial-services firms face scrutiny and funding shortfalls due to economy.

Bank IT spending will grow only slightly: Risk will be the top concern for banks this year as they look to get more out of their risk management systems, research firm says.

"The climate we're in today causes concerns about disgruntled employees," he said. "We are seeing the layoffs and other forms of downsizing. Frankly with limited budget and less than satisfied employees, it really raises the parameter on that threat."

Human error is the leading cause of information systems failure, and is likely to be the main cause of security attacks in the near future, according to 86% of those surveyed. To protect against employee mistakes that lead to a breach, financial firms should focus on risk rather than compliance to protect themselves, Steinhoff said.

"[Organizations] need to look at what they want to protect and look at various types of threats internally and evaluate who has access to the data and who has access to which system, and approach it from that perspective," Steinhoff said.

Education and awareness training for internal employees is also critical for an information protection program and is often overlooked as budgets are skewed more towards process and technology, Steinhoff said.

"Education training and awareness are equally important for writing an overall effective end-to-end information security program," he said. "When you look at the majority of breaches that occur, yes there are threats but also there is human error -- people make mistakes, and education needs to be enforced and driven on a regular basis."

The CISOs surveyed indicated that data protection and information leakage, as well as identity and access management, were top priorities. Organizations have restricted the use of social networks and instant messaging due to the extra emphasis on internal threats, the survey found.

Some companies are limiting the use of social networks and instant messaging not only to protect data and prevent unwanted information distribution, but also because of the risk these tools bring to brand and reputation, Steinhoff said.

SearchSecurity radio:

"[Organizations] are concerned about the reputation risk associated with their name and employee's activities," he said. "It's a softer sort of threat or concern, but at the same time equally important."

The survey found the economy being a drag on some security initiatives. Budget constraints and lack of resources were noted as the biggest barriers for information security projects. Steinhoff said companies should consider using third-party service providers. With the new federal Red Flag rules and the Massachusetts' Personal Information Protection law, organizations need to step back and look at the most efficient and effective way to address those requirements, Steinhoff said.

"We find institutions may be duplicating efforts or spending money on various, complimentary and sometimes contradictory requirements, so being as smart as possible in addressing those aspects is very important."

Dig Deeper on Data breaches and prevention strategies

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.