Admitted attacks on computer networks at global financial institutions more than doubled in the last year, resulting in more monetary losses. Yet a quarter of those companies say they're not spending more on new security systems.
Those are the findings in the 36-page 2004 global security survey by New York-based Deloitte Touche.
IT executives from 100 companies were interviewed for the report, and 83% acknowledged their systems have been compromised in the past year, compared to only 39% in 2002. Of those surveyed, 40% said attacks against their networks resulted in financial loss. Despite that, 25% reported flat security budget growth.
"Financial institutions, particularly security officers, are facing greater challenges than ever," said Adel Melek, partner and global leader of Deloitte's IT Risk Management & Security Services/Global Financial Services Industry. "They are fighting an ongoing battle to overcome evolving security threats and to comply with an increasingly stringent regulatory environment but, at the same time, resources have stagnated."
The survey also found companies are sliding backwards when it comes to their use of security technology. While more than 70% of respondents perceived viruses and worms as the greatest threat to their systems in the next year, those who said they've fully deployed antivirus measures dropped from 96% in 2003 to 87%.
Other key findings of the survey showed:
- While the majority of respondents (59%) indicated security is a key priority, only 10% reported that their general management perceives security as a business enabler.
- While 91% of respondents indicated they have a comprehensive IT disaster recovery plan in place, only 51% took into account personnel within their business continuity plans.
- One third (32%) of respondents felt security technologies acquired by their organizations were not being used effectively.
- Only one quarter (26%) of respondents felt their strategic and security technology initiatives were well aligned.
- Identity management and vulnerability management are the two most common technologies financial services are piloting or intend to deploy over the coming 18 months.
The survey did show some positive trends.
Among them, financial institutions showed improvement in complying with regulations, as two-thirds (67%) of respondents indicated they have a program for managing privacy compared to 56% last year. In addition, 69% felt that senior management is committed to security projects needed to address regulatory requirements.
Ted DeZabala, managing partner of Deloitte's security services group, said the survey shows that while firms aren't necessarily spending more to protect their networks, they're taking security more seriously and getting better at managing it.
"It's not that companies aren't investing enough, it's that they're investing more wisely," DeZabala said. "We really believe security is a management issue more than a technological issue. Some of the more effective solutions are things like identity management. That's an issue raised by regulators as well. Effective management can mitigate risk." The survey shows companies are subscribing to that point of view, he said.