Ernst & Young 2008 Global Information Security Survey

The latest release of “Ernst & Young Global Information Security Survey” shows that a growing number of organisations recognise the link between information security and a strong brand / reputation. It covered nearly 1400 senior executives in over 50 countries, and it strongly indicates that a security incident would have a greater impact on reputation and brand than on revenues. Considering the previous results and my experience – it seems that the major drivers of information security spend are shifting from compliance to brand protection.

More importantly, it suggests that the spending is set to increase in Information Security. While, I think there will be major cutbacks in a number of existing areas and the same money will be re-channelled with more robust monitoring of the bottom line.

Survey can be found here

FSA releases report on data security for FS

FSA releases report on protection of consumer data within Financial Services industry. This review was carried out by FCID (Financial Crime and Intelligence Division) of FSA – In summary, it highlights the need for improvement in current practices deployed in the financial services industry for protecting consumer data. It also highlights and acknowledges a few good practices currently in place.

Main findings were around following themes:
– Governance
– Training and Awareness
– Staff recruitment and vetting
– Controls
– Physical Security
– Disposing of customer data
– Managing third-party suppliers; and
– Internal audit and compliance.

Click here for detailed report

2008 Data Breach Investigations Report

Some really exciting statistics reported by Verizon Business RISK team.

It is worth to note the fact that although percentage-wise the insider data breaches are 18% compared to the external 73%, later in the report is is mentioned that impact of an insider breach is relatively a lot higher than of an external breach.  Summary is below:

Who is behind data breaches?
73% resulted from external sources 
18% were caused by insiders
39% implicated business partners
30% involved multiple parties

How do breaches occur?
62% were attributed to a significant error 
59% resulted from hacking and intrusions  
31% incorporated malicious code
22% exploited a vulnerability
15% were due to physical threats

What commonalities exist?
66%  involved data the victim did not know was on the system
75%  of breaches were not discovered by the victim 
83%  of attacks were not highly difficult
85%  of breaches were the result of opportunistic attacks
87%  were considered avoidable through reasonable controls

You can find the report here

$7.5 billion trading scandal – is this the end of it?

Apparently not, FSA is urging banks to improve their controls, while a simple advice but barely followed. SocGen is a prime example. Although, other entity level and manual controls failed as well, but it was the technology that made it possible in the first place (based on the SocGen’s official statement released sometime earlier)

See here for further on this.

Technology Risk in Banking Context

Interesting article by Cynthia hosted by Bankersonline, it discusses technology/IT risk in banking context to a certain extent. However, it will not be much to expect some reference to the capital requirement regulation and how it acts as a board level motivation to take technology/IT risks management more seriously.  More on it here