Despite growing boardroomawareness, IT security risk remains the responsibility of IT departments in Australian financial institutions, according to new research.
Deloitte’s annual security survey of financial institutions identified a growing gap between awareness of IT security issues and support for solutions. “The first issue is a security paradox that we’re starting to see and this comes down to the fact that we’re seeing a lot of media around security breaches and we understand how those beaches occur,” said Tommy Viljoen, a Deloitte partner.
“The boards understand how that’s occurring and management understands how that’s occurring. However security and the responsibility for security is still resting on the shoulders of IT. Yet a lot of the breaches that are occurring – and this is the second part of our message –are resulting from people issues, be they internal, be they the customers or be they third parties. So there’s a paradox that we’re seeing between ownership of security and responsibility for security.”
Skills shortages also emerged as a major issue in the IT security battle with Australia’s geographical isolation a particular barrier to competing with UK and European markets for skilled IT security professionals. Dean Kingsley, a Deloitte partner, added that the firm itself has felt the sharp end of the issue.
“We’re a significant employer ourselves of information security professionals so I think we have our perspective as the financial services industries do on what skills we want and what we’re finding in the market. I think there are twofold challenges,”he said. “The first is that even in the technical part of security, universities and for that matter TAFEs and other training institutions are not putting out enough people with the right kinds of skills that the industry is demanding. I think something needs to happen on the tertiary educational side of that problem.”
As Australian banks investigate differing options for offering customers greater security protection for online banking, questions are emerging over whether banks will incur a greater cost for fixing security than they currently lose through cyber attacks and online fraud. While in the US, for example, banks must disclose losses resulting from security breaches, that is not a requirement in Australia.
“I can only go on certain banks that I’ve seen,” said Viljoen. “It is a risk-based approach but it’s looking at it both from the financial perspective as well as the reputational perspective. Yes you can incur certain losses as long as the customer is being reimbursed. That might be a financial loss that you could bear. If it is starting to break down the trust that society has in the organisation, that’s going too far.
“I think the banks, while they will accept certain losses, are also looking at it and saying, if I do accept too much of these losses, even though from my own perspective its acceptable, if I can no longer use this channel and I’ve broken that trust, that becomes a big issue. I think there’s a lot of debate going around at the banks at the moment around what extent this can continue.”
In terms of additional authentication for retail customers, Australian institutions remain behind their Asian counterparts, particularly in Singapore and Hong Kong, where two factor authentication is commonplace.
“On the authentication element and access management front, I wouldn’t say we are far behind because we see some of our banks and some of the smallest ones are ahead and some of the bigger ones are looking at the more advanced solutions,” said Jean-Marie Abighanem, a director at Deloitte.
“But I wouldn’t say we are ahead. I would say we are maybe a little bit lagging behind in some aspects of security or some aspects of technology. For example we are still good on securing the infrastructure but we’re still a bit behind on authentication. We’ve been putting some new technologies in place and efficient technologies.”
Julie Priest, head of Deloitte’s national security practice agreed. “I think some of our colleagues in Singapore said some of the banks there are leading edge in that area,” she said.