Financial institutions around the world experienced an increase in the number of online attacks during the past year, according to the 2006 Deloitte Global Security Survey. Globally 78% — up from 26% in 2005 — experienced security attacks from outside the organisation. Remarkably, every single respondent from the Asia-Pacific region, excluding Japan, said they had experienced at least one information security breach in the last 12 months, compared with 16% last year.
“It is significant that 100% of respondents in Asia-Pacific were hit, and that none felt that they had the required skills and resources to respond effectively and efficiently,” says Faris Azimullah, an IT specialist with Deloitte New Zealand’s IT risk management and security services department.
The region is behind the rest of the world in areas such as appointing chief information security officers and having a security strategy in place, according to the survey.
Only 23% of respondents in Asia-Pacific confirmed that they had a CISO, compared with 91% in the Middle East, 82% in the US, 74% in Japan, 80% in Canada and 57% in Latin America. The global average is 75%, says Azimullah.
Ashley Sadler, recruitment manager for IT at Enterprise Recruitment, says it is only relatively recently that specific security positions — such as CISOs, security architects, security consultants and security analysts — have started coming up in the New Zealand job market. He says positions of this kind would more often come up in the Wellington market, because of the government and public sector institutions, than in Auckland. However, security expertise is becoming more and more sought after in Auckland.
There is reluctance in the commercial Auckland market to get involved in some of the upper areas of IT, such as deploying remote and wireless computing, he says. This is due to security concerns and the lack of security experts.
“And that is definitely hindering people from taking up these technologies,” he says.
Small to medium-sized companies, which typically don’t have a CISO on-board, want to take advantage of emerging technologies, but there is a lag because of the security implications, he says.
Sadler says that for CISO or security architect roles his company looks for individuals with a CISSP (Certified Information Systems Security Professional) qualification, a premier security certification that is recognised worldwide. Enterprise Recruitment has ten people with that qualification in its database of 17,000 candidates.
Ben Allen, Auckland branch manager of Icon Recruitment, confirms that security experts are scarce but much needed. Icon hasn’t dealt with many roles of the CISO level, he says. But he thinks appointing CISOs might be a trend that is coming.
“The security side of businesses is certainly growing and there is more awareness around security. There is always a need for security experts [in New Zealand],” he says.
On the positive side, 92% of respondents in Asia Pacific have implemented a business continuity management programme that includes the whole enterprise, and 85% manage privacy compliance. Rodger Murphy, head of financial services at Deloitte New Zealand, thinks this is a response to the natural disasters that have hit the region in the last couple of years.
Internal attacks are also increasing around the world, says the survey, and 49% of respondents experienced at least one internal security breach, compared to 35% in 2005.
The survey shows that more than half of external attacks globally were phishing and pharming attacks, followed by spyware or malware attacks at 48%. Regarding insider attacks, 28% of respondents cited insider fraud and 18% stealing of customer data, as the most common internal malicious actions. The top three most common attacks, both external and internal, were aimed at gaining money, according to the survey.
The results of the survey indicate that the financial industry is facing a new reality, says Murphy.
“The sophistication and coordination of these attacks imply professional hackers and organised crime, rather than the script-kiddies and one-off hackers that used to dominate this space,” he says.
Among the top five security initiatives for 2006, respondents cited identity theft and account fraud (58%), identity and access management (41%) and disaster recovery and business continuity (49%). Eighty-eight percent confirmed having a business continuity management programme in place.
However, security awareness and training was pushed off the top five initiatives list from previous year. Even though 96% of respondents are worried about employee misuse of the IT systems, only 34% have provided the staff with some kind of security training over the past year.
The survey also found that 95% of respondents saw their information security budget grow over the past 12 months. In addition, 72% of financial institutions that experienced security breaches noted that the estimated amount of damage for the organisation was around US$1 million.