​

CYBERCRIME KNOWS NO BORDERS. Many of the world’s IT criminals are based half-a-world away from the scene of their crimes. Banks, with trillions of dollars on their balance sheets, are favored targets. And although financial institutions have responded by ramping up their IT security, network intrusions are as frequent and widespread as ever, according to the most recent survey from Deloitte Touche Tohmatsu.

Two-thirds of the firms responding to the survey admitted that they suffered repeated external breaches, and one-third admitted to serial internal breaches. The survey’s most troubling finding was the disarray in policymaking and execution at some of the world’s top financial firms, in what the authors call the security paradox. Deloitte found that senior management has increasingly designated IT security to be a strategic issue, overseen by board-level executives. But that high-priority designation hasn’t helped to solve the problem.

In the United States, for example, financial firms report that they have applied IT security policies and protocols more thoroughly than in any other region—and 89 percent say the issue has the attention of the executive suite. Yet 20 percent of executives at American institutions say they lack “commitment and funding to address [IT security] regulatory requirements.”

Yves Leroux, a Paris-based technology strategist at Computer Associates, says that implementing IT policy is a major challenge for companies around the world. “The most difficult thing is to convince line [managers] of a business to comply. Very often, they do not understand particular issues,” he says.

Deloitte found that Japanese financial institutions had universally adopted certain best practices in managing privacy policies, such as appointing a privacy executive. That practice is applied by only two out of three firms worldwide. The Japanese effort seems to have garnered results. Japan’s banks suffer the fewest reported IT system breaches.

Financial institutions in developing countries lag behind the United States and Japan in policies and implementation. The report says that firms in the Asia-Pacific region, where 79 percent of firms reported repeated external security breaches, are starting to “adopt more proactive technologies.” These include antiphishing technologies, application firewalls, and intrusion prevention systems (IPS) coupled with nontechnological controls such as awareness and training.

Latin America is a laggard in managing privacy compliance and providing employee training, yet it has suffered fewer IT security violations, with 63 percent reporting external breaches.

Two-thirds of respondents said they have an IT security strategy, but only 10 percent are confident that it “is led and embraced by line and functional business leaders.” Just as alarming was the admission by 70 percent of the world’s financial firms that they lack “both the required skills and competencies to respond effectively and efficiently to foreseeable security requirements.”

Part of the problem may be that it’s hard to find the right IT personnel. Werner Preining, CPP, executive vice president at Vienna’s Interpool Security, says European financial institutions face a skills shortage. “There are not very many competent people around, so few competent people get employed by banks,” he says. “There are very few IT generalists who also understand the details of what is going on throughout the whole system.”

He believes that breaches are more common and losses greater than disclosed by banks, even in confidential surveys such as Deloitte’s. “You hear little about breaches, because banks don’t want the negative image, and legal cases are settled out of court,” says Preining.

Another problem is the lack of clear measurements to assess a measure’s effectiveness compared to the cost of implementation. A majority—54 percent—of firms participating in the survey recognized that they “have little, if any, way to measure return on security investment or do not attempt to measure it at all. ROI numbers are the language that executives speak; without them, the security function continues to be seen simply as part of IT, and it will not gain the stature that is necessary to promote it as an enabler and a competitive advantage,” says Preining.

While IT security professionals at 81 percent of firms surveyed have defined jobs and responsibilities, only half have their performance linked to their appraisals. This “raises the question of how one can effectively manage and improve that which is not measured,” says Preining.

Marc McKinnon, a senior manager at Deloitte, says that firms are doing their best to acquire adequate data. “Many banks are doing tactical measurements before developing strategic objectives. They are seeing what they can measure today and then have programs to make effective long-term decisions, but it’s definitely a journey.”

McKinnon added that financial firms are aware of the risks of becoming more globally interdependent, but are struggling to translate this awareness into action. Only a small minority of banks involve IT security in acquisitions.

Part of the difficulty in curtailing cybercrime is that it crosses legal jurisdictions. The Council of Europe has attempted to address that problem through the Convention on Cybercrime treaty, which increases international cooperation on IT criminal investigations. For example, one of the treaty’s provisions allows foreign governments to file for “expedited preservation” orders preventing companies in signatory nations from routinely deleting logs or other data. The Council of Europe has 45 member states and five nonvoting members, of which the United States is one. All but two of the CE’s member states have approved the treaty.

Deloitte began surveying the world’s financial service companies’ IT security policies in 2003. Adel Melek, the firm’s IT Risk Management and Security Services global leader, says that his team interviewed management at 169 financial institutions in 2007, including 26 percent of the world’s top 100 banks in 32 countries. About half the respondents were based in developing regions, including Africa, the Middle East, Asia, and Latin America.