Deloitte Says Financial Crisis May Lead to Security Crisis for Banks
A survey by Deloitte shows that for many of the world?s banks, security investments are declining, creating greater vulnerability to data breaches.
By Maria Bruno-Britz
Bank Systems & Technology
February 05, 2009

Problems with liquidity and customer retention aren't the only challenges that banks will face in 2009. A report from Deloitte Touche Tohmatsu, "Protecting What Matters: 6th Annual Global Security Survey," says that the pressures brought on by the financial crisis are actually increasing banks' vulnerabilities to data breaches.

According to the firm, tighter budgets, a greater concern over internal security breaches due to lower employee morale and complacency after a decrease in overall attacks over the past year may expose global financial institutions to an increased risk of data breaches in 2009.

Security breaches should not take a back seat as banks face the challenges of the coming year, said Mark Steinhoff, leader of Deloitte's financial services security and privacy group and a contributor to the report, in a release. "As the current crisis continues to deepen, financial institutions may look to save money by cutting IT budgets and reducing spending on security infrastructure," he explained. "Consumer trust is already waning. As such, it is important for financial institutions to be vigilant in protecting their data and implementing checks and balances to reduce the risk."

The global security study is designed to help FIs see how their information security practices compare with their counterparts. Participants consisted of a mix of top 100 global financial institutions, top 100 global banks and top 50 insurance companies from 32 countries.

Key findings in the study include:

A decrease in security budgets due to cost containment versus 2008, when many firms reported a 1 percent to 5 percent increase. More than half of respondents (56 percent) say budgetary constraints and/or lack of resources are the leading barriers to ensuring information security. There was a noticeable decline in the percentage of organizations that reported having a program in place to manage security compliance (77 percent in 2007 versus only 48 percent in 2008). This decline could be due to overconfidence by management that security initiatives are sufficient and don't warrant further investment.

Another of the findings says to expect the majority of breaches in 2009 to be the result of human error or malicious employees. The majority of respondents (86 percent) confirm that human error is the leading cause of information systems failure. People can be a bank's weakest link, especially in such times when job security is questionable and stress is high.

Related to this is concern over employee misconduct are findings that although both internal and external security breaches at financial institutions worldwide fell over the past 12 months, employee misconduct is a growing issue for these organizations. Thirty-six percent of respondents expressed concern about insiders' misconduct, compared to only 13 percent who are concerned about external threats. Furthermore, six in 10 (58 percent) of survey participants are concerned about their ability to protect their organization from internal cyber-attacks.

Other findings include:

Phishing/pharming are a continuous concern and are ranked as the leading type of external breach experienced by respondents (22 percent).

The growing popularity of social networks and the proliferation of mobile media such as remote devices and Web 2.0 applications are causing an extra load on internal and external security. More than half of financial institutions surveyed now restrict the use of social networks and instant messaging (53 percent and 58 percent, respectively).

Respondents' top three information security priorities are: security regulatory compliance and, tied in second place, access and identity management and data protection and information leakage.

The leading drivers for respondents to protect the privacy of their clients are regulatory privacy requirements (79 percent) and reputation and brand concerns (70 percent).

"While changes in new regulations might demand new investments, how you keep your infrastructure and technologies safe is something all institutions should be focused on in 2009. This will be a challenging year, no matter how you slice it," said Steinhoff.

Cost of data breaches on the rise.....

The cost of data breaches is on the rise, and businesses that experience them are losing customers as a result, according to a new study issued today. In an update to its popular annual "U.S. Cost of a Data Breach Study", Ponemon Institute and PGP have published a new report that indicates many of the cost factors surrounding security incidents have risen in the past 12 months.

"After four years of conducting this study, one thing remains constant: U.S. Businesses continue to pay dearly for having a data breach" says Larry Ponemon, chairman and founder of The Ponemon Institute. "As costs only continue to rise, companies must remain on guard or face losing valuable customers in this unpredictable economy."

The average cost of a data breach in 2008 grew to $202 per record compromised, an increase of 2.5 percent since 2007 ($197 per record) and

11 percent compared to 2006 ($182 per record), according to the study. The average total cost per reporting company was more than $6.6 million per breach -- up from $6.3 million in 2007 and $4.7 million in 2006 -- and ranged from $613,000 to almost $32 million.

**************************************************************************************************************************************