The "human factor" — employees, customers, third parties and business partners — are the "greatest root cause of security breaches," according to Deloitte Touche Tohmatsu's 2007 Global Security Survey.
The survey revealed that 65 percent of respondents have experienced repeated external security breaches in the past year. The top three causes of breaches at financial institutions are viruses
, email attacks, and phishing
The reported breaches were caused by the firms' customers, who unwittingly provided sensitive information to others, creating conduits into the financial institutions' systems.
The survey also revealed that less than two-thirds of respondents (63 percent) have an information security strategy, and only 10 percent of the respondents' strategies are headed by line-of-business leaders. The results support what Deloitte calls "an emerging security paradox" — the gap between awareness of security problems and actual support for providing solutions.
“A key challenge lies in the development and integration of a security strategy across the business," Deloitte's analysts said in the survey.
A Deloitte representative could not be reached for comment.
Deloitte's fifth annual survey asked senior IT executives from 169 large enterprises — 68 percent of whom work at banks — about recent trends in security and privacy. Respondents included chief security officers, chief information officers and members of security management teams.
Nearly all of the surveyed CSOs and CIOs said they have increased their security budgets in the past 12 months, according to the report. Yet 35 percent said that their investment lags behind business needs, and only 20 percent of U.S. respondents said their staffs have the required skills and competencies to deal with ongoing security threats.
The primary reasons that security projects fail are "shifting priorities” (48 percent) and "integration problems" (32 percent), according to the survey.
High-profile cases of data loss have focused “intense attention” on data protection during the past 18 months, according to Mark Steinhoff, principal with Deloitte's financial services industry security and privacy practice.
"It is clear that financial institutions have identified the major security issues and the necessary actions they must take to improve security and privacy practices,” he said. “But many are falling behind when it comes to taking action. This is not only a security or technology issue, but requires the integration of security governance, compliance and solutions across the enterprise.”
In addition to customer-created breaches, a significant number of data-loss cases can be pinned on employee activity — both intentional misconduct and human error. An overwhelming majority of respondents (91 percent) are concerned about employees and cite humans as the root cause for information security failures (79 percent).
That said, 22 percent responded that they have provided no employee security training during the past year. In addition, only 30 percent reported that their staffs are sufficiently trained to respond to security demands.