By Matt Mancuso, Ernst & Young
With external and internal data security threats on the rise - both malicious and inadvertent in nature - financial services organizations are taking a more holistic view of risk and security and focusing on the overall health of their information security management programs.Ernst & Young has surveyed information security executives at 1,900 financial institutions around the world to understand how they view and are addressing data security issues, dealing with increased regulatory requirements and leveraging new technologies. Information security leaders face reduced budgets and fewer resources complicated by an increase in the number of threats - 48% of financial services respondents noted an increase in external attacks (e.g., phishing, website attacks) and 26% noted an increase in internal attacks (e.g., abuse of employee privileges, theft of information).
As companies reflect back on the missteps that exacerbated the financial crisis and find themselves challenged to respond to increased regulatory inquiries driven by the desire for greater transparency and granularity, they realize that the nature of data security has changed.
In its early days, information security was first and foremost about the perimeter, keeping the bad guys out. Companies constructed firewalls and later applied multiple layers of authentication to internet-facing applications. Today, these established security measures are not an option but a requirement. Fifty percent of survey respondents plan to spend more on improving information security risk management to protect information no matter where it resides. The newer security priority for these data security experts, and the one they're focused on for the coming 12 months, is data leakage, which Ernst & Young defines as the unintentional release of sensitive information. Sources of data leakage include threats from outsiders in the form of malware, spam, spyware or hackers; intentional information leakage by insiders; unintentional information leakage by insiders; or leakage resulting from inadequate controls, acceptable use policies or procedures. The financial services industry has taken action to control data leakage of sensitive information with a combination of preventive and detective measures such as implementing content monitoring/filtering tools (60%), restricting use of certain hardware components (65%) and defining a specific policy regarding the classification and handling of sensitive information (72%).
Data leakage prevention programs seek to prevent the intentional or unintentional disclosure of sensitive data-at-rest, in-motion or in-use to unauthorized parties; maintain adequate security and provide usability; protect customer data and brand reputation; protect personally identifiable information and intellectual property and reduce an organization's risk exposure and cost of compliance. The program should include all domains of people, process and technology to effectively prevent data leakage. For example, a clearly defined governance structure, controls matrix and data owner roles and responsibilities are critical to managing and maintaining any program. Also, all supporting IT processes must be reviewed and potentially enhanced (typically based upon gaps uncovered by a comprehensive data leakage risk assessment) so that technology solutions that monitor, prevent and respond to potential data leakage events across all three protection domains can be adopted. The survey also revealed that many organizations continue to be challenged by a lack of skilled information security resources and inadequate budgets. While these challenges have been identified in previous years' surveys, this year they have become much more pervasive and likely are being influenced by the climate of heightened economic uncertainty.