News

02:43 PM
Connect Directly
RSS
E-Mail
50%
50%

Deloitte Says Financial Crisis May Lead to Security Crisis for Banks

Problems with liquidity and customer retention aren't the only challenges that banks will face in 2009. A report from Deloitte Touche Tohmatsu, "Protecting What Matters: 6th Annual Global Security Survey," says that the pressures brought on by the financial crisis are actually increasing banks' vulnerabilities to data breaches.

According to the firm, tighter budgets, a greater concern over internal security breaches due to lower employee morale and complacency after a decrease in overall attacks over the past year may expose global financial institutions to an increased risk of data breaches in 2009.

Security breaches should not take a back seat as banks face the challenges of the coming year, said Mark Steinhoff, leader of Deloitte's financial services security and privacy group and a contributor to the report, in a release. "As the current crisis continues to deepen, financial institutions may look to save money by cutting IT budgets and reducing spending on security infrastructure," he explained. "Consumer trust is already waning. As such, it is important for financial institutions to be vigilant in protecting their data and implementing checks and balances to reduce the risk."

The global security study is designed to help FIs see how their information security practices compare with their counterparts. Participants consisted of a mix of top 100 global financial institutions, top 100 global banks and top 50 insurance companies from 32 countries.

Key findings in the study include:

A decrease in security budgets due to cost containment versus 2008, when many firms reported a 1 percent to 5 percent increase. More than half of respondents (56 percent) say budgetary constraints and/or lack of resources are the leading barriers to ensuring information security. There was a noticeable decline in the percentage of organizations that reported having a program in place to manage security compliance (77 percent in 2007 versus only 48 percent in 2008). This decline could be due to overconfidence by management that security initiatives are sufficient and don't warrant further investment.

Another of the findings says to expect the majority of breaches in 2009 to be the result of human error or malicious employees. The majority of respondents (86 percent) confirm that human error is the leading cause of information systems failure. People can be a bank's weakest link, especially in such times when job security is questionable and stress is high.

Related to this is concern over employee misconduct are findings that although both internal and external security breaches at financial institutions worldwide fell over the past 12 months, employee misconduct is a growing issue for these organizations. Thirty-six percent of respondents expressed concern about insiders' misconduct, compared to only 13 percent who are concerned about external threats. Furthermore, six in 10 (58 percent) of survey participants are concerned about their ability to protect their organization from internal cyber-attacks.

Other findings include:

Phishing/pharming are a continuous concern and are ranked as the leading type of external breach experienced by respondents (22 percent).

The growing popularity of social networks and the proliferation of mobile media such as remote devices and Web 2.0 applications are causing an extra load on internal and external security. More than half of financial institutions surveyed now restrict the use of social networks and instant messaging (53 percent and 58 percent, respectively).

Respondents' top three information security priorities are: security regulatory compliance and, tied in second place, access and identity management and data protection and information leakage.

The leading drivers for respondents to protect the privacy of their clients are regulatory privacy requirements (79 percent) and reputation and brand concerns (70 percent).

"While changes in new regulations might demand new investments, how you keep your infrastructure and technologies safe is something all institutions should be focused on in 2009. This will be a challenging year, no matter how you slice it," said Steinhoff.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Here is what the client expects us to develop...
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.