Jason Bryce from banking newsletter The Sheet writes:
Highly organised and well funded criminal groups are taking over from
backyard hackers as key threats to the security of financial institutions and
their customers according to Deloitte Touche Tohmatsu. Despite the growing
problem, most executives at the chief and board level do not see it as a
critical area of business.
In a disturbing finding, 100% of financial services institutions that
participated in the 2006 Deloitte Global Security Survey study from the Asia
Pacific region (excluding Japan, but including most of the major Australian
institutions) reported that they had experienced security breaches in the last
12 months, but none felt it had the required skills and competencies to
respond effectively and efficiently.
“That’s a massive increase in organisations reporting security breaches on
the numbers for AsiaPac in 2005,” said Deloitte partner for Enterprise Risk
Services Tommy Viljoen. Just 16% of AsiaPac FSIs reported security
breaches in the 2005 report.
George Stathos, also a Deloitte Partner for Enterprise Risk Services, said
all institutions were suffering an acute shortage of skilled IT security
professionals that is hampering global efforts to fight the latest security
threats.
Two-thirds of the 32 Asia/Pacific FSIs participating do not have a security
strategy. In fact the Asia/Pac FSIs recorded “worst in class” results in six
key areas of security, lagging far behind leaders Japan as well as the European,
North American and Latin American FSIs.
While 92% reported having a business continuity management program to
cope with major catastrophic events such a terrorist bombing or an avian flu
pandemic, the report states that “closer examination reveals that these programs
may not be addressed at the enterprise level nor is the organisation as prepared
as it may think.”
Viljoen says the numbers of IT security professionals employed by Australian
institutions is generally below 40, which is very low compared to North American
institutions.
Both Viljoen and Stathos believe that while losses from fraud, ID theft and
online hackers remain non-material to FSI bottom lines, the real threat is damage
to consumer confidence in the system. This has led many institutions quickly
and quietly to reimburse affected customers, while perhaps not moving so
effectively on prevention. Stathos sees a time “perhaps ten years out” where
institutions expect customers to take responsibility and accept liability for
problems originating on their infected PCs.
However in the foreseeable future, while banks are trying to get customers
out of branches and online, they are likely to continue to wear losses
quietly and hope they don’t become material.
Crikey is committed to hosting lively discussions. Help us keep the conversation useful, interesting and welcoming. We aim to publish comments quickly in the interest of promoting robust conversation, but we’re a small team and we deploy filters to protect against legal risk. Occasionally your comment may be held up while we review, but we’re working as fast as we can to keep the conversation rolling.
The Crikey comment section is members-only content. Please subscribe to leave a comment.
The Crikey comment section is members-only content. Please login to leave a comment.