Although external security attacks on IT systems at a sampling of financial institutions - surveyed as part of an annual Deloitte & Touche (New York) study - have more than doubled from a year ago, the Global Financial Services survey also finds that companies aren't dedicating more resources to combat the problem. Instead, more than a quarter of financial services companies surveyed report that their security budgets remain flat, while nearly 10 percent of respondents had their budgets slashed from the previous year.
But the state of security isn't entirely uncertain for financial services companies. Ted DeZabala, national managing partner of Deloitte & Touche's security services group, hypothesizes that the reported increase in attacks is partly due to the greater focus on securing systems. "Visibility tends to drive the reported numbers up," DeZabala says. "When companies are more focused on monitoring security breaches, they are better able to account for them."
But, greater monitoring practices only account for part of the escalation in figures. The spike in numbers is also likely related to more resourceful perpetrators, according to DeZabala. "There seems to have been a steady increase in the number of people sophisticated enough to perpetrate these attacks," DeZabala explains. "Additionally, the number of network connections at the average company have increased, leaving more points vulnerable to attacks."
And when a company's security is breached, bad public relations is not all it will have to contend with. These attacks often have an impact on an organization's bottom line. Security threats like viruses, worms, malicious code, sabotage and identity theft have cost millions of dollars in lost revenue globally, DeZabala asserts.
That is part of the reason why financial institutions also find themselves in a pickle when it comes to balancing a secure environment with providing adequate customer access. Although he concedes that there is no quick fix for the problem, DeZabala suggests that companies employ a holistic systems strategy. "The whole development and deployment of applications requires more diligence," he explains. "Also, a standardization and reduction of technical complexity is key. As you consolidate your systems, they are easier to manage, and it will also become easier to mitigate risk."
But, though integration of systems and databases may reduce the number of systems that must be watched, more attention is required as part of the effort, DeZabala says. "Any time a company has a single repository, more diligence is needed to protect it," he relates. "The fact remains that it's easier to protect one database than it is to protect 10. However, with a single repository, you have the entire population exposed in one area."
Deloitte & Touche's Global Financial Services survey, which was conducted through face-to-face interviews, focused on senior information technology executives, including chief information officers, chief security officers and security management teams. One hundred financial services organizations participated in the survey, 10 of which are members of the top 50 global insurers ranked by 2002 financial assets.