The "human factor" — employees, customers, third parties and business partners — are the "greatest root cause of security breaches," according to a Deloitte survey.The survey revealed that 65 per cent of respondents have experienced repeated external security breaches in the past year. The top three causes of breaches at financial institutions are viruses and worms, email attacks, and phishing and pharming.
The reported breaches were caused by the firms' customers, who unwittingly provided sensitive information to others, creating conduits into the financial institutions' systems.
The survey also revealed that less than two-thirds of respondents have an information security strategy, and only 10 per cent of the respondents' strategies are headed by line-of-business leaders. The results support what Deloitte calls "an emerging security paradox" — the gap between awareness of security problems and actual support for providing solutions.
“A key challenge lies in the development and integration of a security strategy across the business," Deloitte's analysts said in the survey.
Nearly all of the surveyed CSOs and CIOs said they have increased their security budgets in the past 12 months, according to the report. Yet 35 per cent said that their investment lags behind business needs, and only 20 per cent of US respondents said their staff have the required skills and competencies to deal with ongoing security threats.
The primary reasons that security projects fail are "shifting priorities” (48 per cent) and "integration problems" (32 per cent), according to the survey.
High-profile cases of data loss have focused “intense attention” on data protection during the past 18 months, according to Mark Steinhoff, principal with Deloitte's financial services industry security and privacy practice.
"It is clear that financial institutions have identified the major security issues and the necessary actions they must take to improve security and privacy practices,” he said. “But many are falling behind when it comes to taking action. This is not only a security or technology issue, but requires the integration of security governance, compliance and solutions across the enterprise.”
In addition to customer-created breaches, a significant number of data-loss cases can be pinned on employee activity — both intentional misconduct and human error. An overwhelming majority of respondents (91 per cent) are concerned about employees and cite humans as the root cause for information security failures (79 per cent).
That said, 22 per cent responded that they have provided no employee security training during the past year. In addition, only 30 per cent reported that their staff are sufficiently trained to respond to security demands.
A Deloitte representative could not be reached for comment.
Deloitte's fifth annual survey asked senior IT executives from 169 large enterprises — 68 per cent of whom work at banks — about recent trends in security and privacy. Respondents included chief security officers, chief information officers and members of security management teams.