The State of Banking Information Security Survey Copyright 2008 Information Security Media Group, Corp. Executive Overview

Transcription

1 The State of Banking Information Security Survey 2008 Copyright 2008 Information Security Media Group, Corp.

2 The State of Banking Information Security Survey, its results and the entire contents of this report are copyright 2008 Information Security Media Group, and may not be repurposed in any medium without expressed permission from Information Security Media Group. 2

3 From the Editor: The State of Banking Information Security at Last! Tom Field, Editorial Director of BankInfoSecurity.com You have no idea how long I ve waited to tell you about the State of Information Security This report started about a year ago, when Information Security Media Group executives first began talking about conducting a comprehensive survey about security issues at U.S. financial institutions. There were several factors crying for such research: 1) There was no single, independent source of analysis dedicated to our industry; 2) There absolutely was a need for identifying and exploring the key issues of concern to banking security leaders; 3) We wanted to create a new benchmark for ourselves to assess the needs of financial institutions, and for institutions to compare their challenges and approaches peer-to-peer. By early fall we had our first draft questions, based on our own knowledge of the market, a look at regulations coming down from Washington, and input from our own Board of Advisors. We tested, tweaked and toned this survey until finally we released it this past December. What you see before you now is a powerful statement from a powerful constituency. Nearly 300 security leaders completed this survey, representing financial institutions of all sizes from across the United States. I have to caution that the results you are about to read are based on the perceptions of these leaders re: assessing their own institutions. But, that said, these are informed opinions, and they re strong ones. Confidence is high among these security executives. They feel their security programs and personnel are solid, and they believe their customers are confident in their protective measures, too. And, yet, many institutions fail to document, communicate or update their incident response or business continuity plans on any steady basis; vendor management is a thin practice at best; and security awareness programs grade out at average-to-failing for employees and customers alike. Factors, all, that could imperil the confidence security leaders and their customers are supposed to hold. Thought-provoking results, I m sure you ll agree, and that s just the surface of what you re about to uncover. Roles, priorities and practices they re all captured in the report you re about to read. And there s even more available online, where you can find the full report, podcast overview and on-demand webinar detailing the survey results. I hope you enjoy what you read find it validating. But I hope you feel challenged by it, too. Share your reactions with me, please, and do take time to drop me a line and let me know what you d like us to explore in next year s big survey. Best, Tom Field Editorial Director Information Security Media Group tfield@bankinfosecurity.com 3

4 Table of Contents Copyright Notice Editor s Note Table of Contents Information Security Agenda: Key Findings 1. Security is a Business Issue 2. Phishing 3. Vendor Management 4. Training 5. Incident Response 6. Business Continuity Key Differences by Assets Under Management Key Differences Between Banks and Credit Unions Conclusion

5 Information Security Agenda: 2008 State of Information Security Survey Uncovers Disconnect in Efforts to Manage Vendors, Educate Customers If there s one single notion common to financial institutions of all sizes, it is confidence the need to have shared trust with employees, partners and especially customers. Without this confidence, banking institutions cannot succeed. And if there s one common theme emerging from the inaugural State of Information Security survey, it s that security leaders express this confidence in contradictions. On one hand, Survey respondents tell us they: Grade their institutions ability to counter threats as very good or excellent (64%) Generally believe their customers share confidence that the institution s security measures are adequately protecting critical information QUESTION: HOW DO YOU GRADE YOUR INSTITUTION S ABILITY TO COUNTER EXTERNAL AND INTERNAL INFORMATION SECURITY THREATS? Excellent Very Good Average Needs improvement Poor failing Don t know 7% 57% 31% 2% 1% 1% 1% QUESTION: DO YOU BELIEVE YOUR CUSTOMERS ARE CONFIDENT THAT YOUR INSTITUTION S INFORMATION SECURITY PROGRAM IS ADEQUATELY PROTECTING THEIR INFORMATION? 61% 24% 13% 2% Yes Some are while others we need to work on I don t know No 5

6 But then, on the other hand, these same respondents say they really have no reason to support such confidence theirs or their customers - revealing: 21% have either suffered a security breach during the past two years, or don t know 35% have been a victim of a phishing attack during the past year* 61% do not test their Incident Response Plan annually* Two-thirds outsource Internet banking systems to third-party service providers, yet admittedly have only moderate confidence in their vendors security controls 73% assess themselves as average to failing when it comes to security awareness efforts with their customers* QUESTION: HAS THERE BEEN A SECURITY BREACH AT YOUR INSTITUTION DURING THE PAST TWO YEARS? 15% 79% 6% Yes No I don t know QUESTION: ON A SCALE OF 1-5, HOW DO YOU RATE YOUR CONFIDENCE IN THE SECURITY CONTROLS MAINTAINED BY YOUR INSTITUTION S THIRD-PARTY SERVICE PROVIDERS? 5 = High Moderate Low 15% 39% 40% 4% 2% *charted results included in the full report - see 6

7 Information Security Agenda 2008 These answers in context reveal a soft underbelly to even the most iron-clad information security strategies that security leaders are placing entirely too much trust in vendors to have secured their own systems and processes. And at a time when customer confidence is already shaky, thanks to the subprime mortgage crisis, banking institutions are further imperiling this trust by failing to give their customers adequate education about secure electronic banking. If institutions continue to fall short in these initiatives, they risk a security breach or worse that could only further erode the customer trust that is so critical to the banking infrastructure. Blind trust might have been enough to placate examiners in the past, but already in 2008 federal regulators have turned up the heat. Both the Federal Deposit Insurance Corporation (FDIC) and National Credit Union Administration (NCUA) have recently directed banks and credit unions to demonstrate tighter vendor management controls in their next examinations, and the inter-agency Identity Theft Red Flag Rules* require institutions to adopt a written Identity Theft prevention program including beefed-up customer awareness efforts by Nov. 1. Given these regulatory pressures, institutions are clear in articulating their platform for action in 2008: Information Security Plans Must be Documented & Shared It isn t enough to have a Business Continuity Plan or an Incident Response Plan although they both are part of an important start. These documents must be documented, updated, communicated throughout the institution and to customers, and they also must take into account the security of data in the hands of third-party service provider s (TSP s). Vendor Management Must be Improved Too many institutions are limiting their due diligence to customer references and SAS 70 reports. Going forward, they need to understand their vendors security measures, and they must show evidence that they have verified and ensured the safety of critical information when it s in TSP s hands. Customer Education is Insufficient Statement stuffers alone won t cut it. More than any other industry, banking institutions need customer trust to survive. To secure this trust, they must demonstrate proactive efforts to educate customers about online banking safety and the risks of identity theft including phishing, which occurs via and telephones outside of the institutions, but still can cause untold damage and erode customer confidence. * For full article see ID Theft Red Flags Update 7

8 Key Findings In addition to the top challenges facing institutions, the State of Information Security 2008 survey also reveals valuable insights on a variety of topics, ranging from reporting relationships to risk management. Top headlines include: 1) Security is a Business Issue There seems to be strong alignment between security and business interests in financial institutions. Business issues regulatory compliance and customer data protection top our respondents list of 2008 priorities, and 40% of these security leaders report into either the CEO/President or Board of Directors/Audit Committee. Security initiatives at these institutions should have strong executive sponsorship. But a couple of troubling signs: Titles A majority (56%) of respondents chose other from the list of titles offered to describe their jobs. This response suggests that the security function may be a part time role in many institutions that the duties are an add-on to someone s existing fulltime job. Given regulatory pressures and existing threats, one can question whether information security deserves an executive s fulltime attention. Budgets - Only one-fifth of respondents have their own defined security budgets; a majority of them (54%) continue to get their funding through IT. Again, this suggests that security is a secondary consideration, and yet regulatory compliance and threat mitigation efforts are primary concerns. Whatever the reporting relationship, role or resource, the mission for security leaders remains the same: Keep information security atop the business agenda. And to do that, then the language of security must be the language of business speak in terms of privacy and protection, not in terms of penetration tests and denials of service. Lose the context, and you risk losing your support. QUESTION: WHAT IS THE TITLE OF THE PERSON PERFORMING THE INFORMATION SECURITY OFFICER ROLE AT YOUR INSTITUTION? Other* Chief Information Officer / IT Director Chief Information Security Officer Chief Security Officer Chief Compliance Officer Chief Risk Officer 56% 19% 12% 6% 5% 2% * A sampling of these responses include: CFO, SVP Operations, Business Process Manager, IT Support Manager, Network Security Admin, Network Administrator, Loss Prevention Manager 8

9 Key Findings (continued) 2) Phishing No Institution Is Safe. More than 40% of respondents say they ve been the victim of a phishing attack over the past year, or don t even know, and it s a crime that s only likely to grow. In fact, already in 2008 we re seeing new telephone-based phishing campaigns preying upon consumers trust. These attacks are easy to launch, payback from them is high and financial institutions stand to lose the most if they don t do a better job educating customers about how to avoid them. 3) Vendor Management Too Much Trust, Too Little Verification. It s an alarming picture when more than two-thirds of respondents (67%) outsource a key system such as Internet banking, and yet only 41% have moderate confidence in vendor security -- 23% say they have no idea whether their vendors have suffered a security breach during the past two years. Another 21% don t know or don t check to see whether their vendors are in compliance with industry regulations. Clearly, institutions are placing too much trust in customer references and SAS 70 audit reports. Starting in 2008, they ll need to show better evidence of inspecting and ensuring the safety of critical processes and information when in vendors hands. QUESTION: HAS YOUR INSTITUTION BEEN A VICTIM OF PHISHING ATTACKS AT ANY TIME DURING THE PAST YEAR? Yes No I don t know 35% 58% 7% QUESTION: WHEN CONTRACTING WITH A THIRD- PARTY SERVICE PROVIDER, WHAT DO YOU DO TO ENSURE THE SECURITY OF THEIR INFORMATION SECURITY PRACTICES? 83% 65% 55% 37% 29% 7% SAS 70 reviews Financial Analysis Third party security assessments provided by the vendor Banking regulatory agencies reviews Onsite reviews sponsored and conducted by the institution Other 9

10 Key Findings (continued) 4) Training Employees, Customers Are Not Getting What They Need. Awareness is the key employees and customers must understand institutions security measures and their own roles in supporting them. Yet, our respondents generally grade themselves low at providing effective security awareness training to these groups 62% average to poor educating employees, 73% for customers. When resources are tight, training budgets always take a hit, but with the Identity Theft Red Flag Rules compliance date looming institutions can t afford to skimp on awareness efforts. There must be strategic education plans in place, and they have to go beyond merely satisfying a regulator s check box to fulfilling the need for security awareness. The risk: If institutions don t improve their awareness programs, they won t merely fail their self-assessments they ll imperil their own customers confidence. 5) Incident Response Some Bases Are Still Uncovered. The interesting point here is whether incident response plans account for incidents at vendors (24% say no or don t know), and then whether customer communication is built into these plans (34% say no). Worse, 30% either don t have such a plan or haven t updated it in the past year. In the wake of such public disasters as the TJX security breach*, one would expect more attention paid to these areas. Given regulatory pressures** and the risk of negative publicity, institutions in 2008 must update their incident response plans to account for their third- (and fourth-) party service providers and to include quick, open communication to customers in the wake of a disaster. QUESTION: HOW DO YOU GRADE THE EFFECTIVENESS OF YOUR SECURITY TRAINING AND AWARENESS ACTIVITIES FOR EMPLOYEES? 2% 36% 53% 7% 2% Excellent Very Good Average Poor Failing QUESTION: DOES YOUR PLAN INCLUDE A FRAMEWORK FOR CUSTOMER COMMUNICATIONS? Yes No Currently under development I don t know 66% 9% 20% 5% * For full article see TJX, Visa Agree to $40.9 Million Payout for Data Breach ** For full article see FDIC Issues New Pre-Exam IT Questionnaire 10

11 Key Findings (continued) 6) Business Continuity Pandemic Preparation* is Lacking. Institutions do have business continuity plans in place. But not surprisingly, they aren t doing a great job communicating these plans to employees (40% either haven t done so, or only somewhat). And they re least prepared for pandemic the one area where regulators are pushing for them to improve**. The FFIEC this past December released new guidance on pandemic planning, and so institutions in 2008 will be expected to focus more efforts on updating, documenting and testing these plans. QUESTION: WHICH OF THESE THREATS DOES YOUR BUSINESS CONTINUITY PLAN ADDRESS? Natural Disaster (hurricane/earthquake/other weather-related disasters) Man-made disaster (terrorism/hacks) Pandemic disaster Other 98% 90% 71% 7% * For full article see New Pandemic Guidance Issued by FFIEC ** For full article see Pandemic Exercise Report Released; Calls for Enhanced Preparations 11

12 Key Differences by Assets Under Management Survey respondents break down into three categories by assets under management: under $500 million, between $500 million and $2 billion, and $2 billion-plus. The common theme when comparing institutions: resources. The larger the institution, the more likely to have dedicated security budgets, the greater attention paid to initiatives such as vendor management and customer awareness. Among some of the key comparison points between small and larger institutions: Information Security Strategy Smaller institutions are less likely to have a formal information security strategy (74% say yes, vs. 87% overall). And they are also less likely to have successfully communicated these strategies to senior officers, employees and customers. For these institutions, 2008 must begin with a focus on the fundamentals: Create and communicate security strategies. Identity Theft Prevention Across the board, smaller institutions say they are doing significantly less than larger institutions in strategies to fight identity theft. And yet none of these institutions is immune from the crime or the regulatory pressure to prevent it. Scant resources will have to be applied to this challenge in Ensuring Vendor Security Practices Outsourcing is common to institutions of all sizes. But across the board, smaller institutions say they are doing significantly less than larger institutions in ensuring the existence and effectiveness of vendors information security practices. Again, given recent guidance from the FDIC and NCUA*, we know vendor management will be a major concern in forthcoming regulatory exams. QUESTION: WHAT STRATEGIES HAVE YOU ADOPTED TO PREVENT IDENTITY THEFT? Network-based intrusion detection/prevention systems Employee background checks Application firewalls Network access control technologies Fraud detection technologies Log analysis technologies Documented ID theft prevention program Identity management technologies Behavioral-based anomaly detection technologies Automated data-leakage technologies Other A B C D E F G H I J K Graph numbers are % A B C D E F G H I J K A B C D E F G H I J K A B C D E F G H I J K * For full article see FDIC Issues New Pre-Exam IT Questionnaire 12

13 Key Differences Between Banks and Credit Unions Survey respondents break down into three categories by type of institutions: banks, credit unions and other financial institutions (brokerages, insurance companies, etc.) There are no significant differences between banks and credit unions in terms of priorities, roles and strategies again, these issues tend to be decided more by available resources. But credit unions do stand out in a few key comparisons: Reporting Relationships Credit union security leaders are more plugged in to executive management. Thirty-eight percent of them are likely to report to the CEO/President, vs. 29% overall. Security Plans and Testing Credit unions are a little more lax than banks when it comes to updating and testing their security plans. Asked if they had updated their incident response plans in the past year, only 60% said yes, vs. 71% overall 21% are just developing these plans now. Similarly, credit unions are less inclined to have a regular Business Continuity Plan update schedule 23% have no set schedule vs. 15% overall. And they also are less likely to test these plans annually 60% vs. 70% overall. QUESTION: WHEN WAS YOUR INCIDENT RESPONSE PLAN LAST UPDATED? A. During the last year B. We are currently developing this plan C. No updates since the plan was developed D. We do not have a plan in place E. Other A B C D E Banks Credit Unions 13

14 Conclusion There were more commonalities than differences in this inaugural State of Information Security survey. No matter the type of institution, its size or its locale, the priorities, responsibilities and challenges are much the same, and so is the information security agenda for U.S. financial institutions in 2008: What we re doing now is insufficient; going forward this year, we must ensure that our: Security strategies are documented & shared Business Continuity Plans account for newer threats, are tested, communicated and updated Incident Response Plans account for business issues, including incidents at third-party service providers (TSPs) Vendor management needs improvement, ensuring that our partners security and compliance measures are as air-tight as our own should be Customer awareness needs improvement; new efforts must focus internally and externally We ll track and report institutions progress over the course of the year, and you can expect to see us back here 12 months from now discussing the State of Information Security Full Survey Report Available For a detailed overview and analysis of the entire State of Information Security 2008 survey, please visit The full report and audio overview are available, as is registration information for an exclusive roundtable webinar in which industry leaders discuss what these findings mean for 2008 information security strategies. About Information Security Media Group Based in Princeton, N.J., Information Security Media Group publishes BankInfoSecurity.com and CUInfoSecurity.com, which are your one-stop portals for the latest news, insights and education on the top information security issues facing U.S. financial institutions today. Through articles, webinars, podcasts, customized training and sponsored content, our team is committed to providing up-to-date information on the security regulations, threats, solutions, training and career trends that impact banks, credit unions and other related enterprises. 14