Financial institutions struggle with security

(June 23, 2005) Your next meeting would probably be a very good time to start making information security a “talking point” with clients. Security breaches and attacks are on the rise at financial institutions — both in Canada and abroad — and human error is expected to be the number one cause of problems in the future. Despite this, very few companies have plans to engage in education measures that could help prevent fraud and identity theft.

More than 50% of Canadian financial institutions surveyed for the Deloitte 2005 Global Security Survey admit they’ve experienced some form of security breach in the past year. Overall, attacks coming from the inside of organizations, both malicious and intentional, as well as those that are simply a result of human error, are on the rise and are outpacing attacks that exploit technological loopholes.

“We’re seeing an increase in the sophistication and evolution of threats,” says Marc MacKinnon, manager of security services at Deloitte & Touche LLP in Toronto.

Human error is quickly becoming the biggest weakness institutions face when dealing with breaches of security. Phishing and pharming, where scam artists attempt to harvest clients’ personal information using bogus e-mails and websites, are two of the newest additions to the list of security threats.

In phishing attacks, a scam artist will send spam e-mail that looks like mail from a legitimate institution. The e-mail will usually urge clients to click on a link to update their personal information or carry out a transaction. The link directs the client to a legitimate looking website which harvests the client’s information when they enter it, and sends it to the scam artist.

Pharming is an evolution of phishing scams, exploiting vulnerability in domain name servers and allowing the hacker to essentially steal a company’s website name and use it to redirect traffic to another site.

Since most financial institutions will not send unsolicited e-mail, urge clients to call the company, using a phone number they know is legitimate, if they ever receive a questionable request. If you or your clients have any concerns about the validity of a website, enter fake information, experts suggest. Only websites designed to harvest information will accept incorrect account numbers or passwords.

Overall the trend shift from external to internal attacks and tactics that exploit human behaviour rather than technological loopholes, can be explained by the improved utilization of information technology services, say the authors of the security study.

The survey of chief information security officers found 98% of companies use anti-virus software solutions compared to 87% in 2004. Use of virtual private networks (which use encryption to provide secure connections to transmit data, voice or video) was up to 79% compared to 75% in 2004, and 76% of companies, up from 60%, were engaged in content filtering and monitoring.

Close to half of the survey’s Canadian respondents say lack of employee awareness is one of their top challenges. Despite this, companies offering security training declined to 65%, down from 77% last year. In the global survey, very few financial institutions have plans to increase customer security awareness. Training and awareness was in fact at the bottom of the security initiatives list, far behind things like regulatory compliance, reporting and measurement. Only one third of executives at interviewed for the survey felt that security was recognized at their company as a critical area of business.

Filed by Kate McCaffery, Advisor.ca, kate.mccaffery@advisor.rogers.com