Archive for the 'Technology Risk' Category

Ernst & Young 2008 Global Information Security Survey

The latest release of “Ernst & Young Global Information Security Survey” shows that a growing number of organisations recognise the link between information security and a strong brand / reputation. It covered nearly 1400 senior executives in over 50 countries, and it strongly indicates that a security incident would have a greater impact on reputation and brand than on revenues. Considering the previous results and my experience – it seems that the major drivers of information security spend are shifting from compliance to brand protection.

More importantly, it suggests that the spending is set to increase in Information Security. While, I think there will be major cutbacks in a number of existing areas and the same money will be re-channelled with more robust monitoring of the bottom line.

Survey can be found here

FSA releases report on data security for FS

FSA releases report on protection of consumer data within Financial Services industry. This review was carried out by FCID (Financial Crime and Intelligence Division) of FSA – In summary, it highlights the need for improvement in current practices deployed in the financial services industry for protecting consumer data. It also highlights and acknowledges a few good practices currently in place.

Main findings were around following themes:
– Governance
– Training and Awareness
– Staff recruitment and vetting
– Controls
– Physical Security
– Disposing of customer data
– Managing third-party suppliers; and
– Internal audit and compliance.

Click here for detailed report

2008 Data Breach Investigations Report

Some really exciting statistics reported by Verizon Business RISK team.

It is worth to note the fact that although percentage-wise the insider data breaches are 18% compared to the external 73%, later in the report is is mentioned that impact of an insider breach is relatively a lot higher than of an external breach.  Summary is below:

Who is behind data breaches?
73% resulted from external sources 
18% were caused by insiders
39% implicated business partners
30% involved multiple parties

How do breaches occur?
62% were attributed to a significant error 
59% resulted from hacking and intrusions  
31% incorporated malicious code
22% exploited a vulnerability
15% were due to physical threats

What commonalities exist?
66%  involved data the victim did not know was on the system
75%  of breaches were not discovered by the victim 
83%  of attacks were not highly difficult
85%  of breaches were the result of opportunistic attacks
87%  were considered avoidable through reasonable controls

You can find the report here

$7.5 billion trading scandal – is this the end of it?

Apparently not, FSA is urging banks to improve their controls, while a simple advice but barely followed. SocGen is a prime example. Although, other entity level and manual controls failed as well, but it was the technology that made it possible in the first place (based on the SocGen’s official statement released sometime earlier)

See here for further on this.

Technology Risk in Banking Context

Interesting article by Cynthia hosted by Bankersonline, it discusses technology/IT risk in banking context to a certain extent. However, it will not be much to expect some reference to the capital requirement regulation and how it acts as a board level motivation to take technology/IT risks management more seriously.  More on it here

10th Global Information Security Survey by Ernst & Young

The 10th Annual Ernst & Young Global Information Security Survey has been released and it reveals that companies are still failing to implement a holistic approach towards Information Security as the security function remains too isolated from executive management and the strategic decision-making process.

Below are highlights of the survey results:

-Meeting business objectives is a growing focus of information security.

-Information security is now more integrated into overall risk management.

-Information security remains isolated from executive management and the strategic decision making process.

-Improving IT and operational efficiency are emerging as important objectives.

-Compliance continues to be primary driver of information security improvements.

-Privacy and data protection have become increasingly important drivers of information security.

-Organisations rely on audits and self-assessments to evaluate the effectiveness of their information security programs.

-Organisations are demanding more from vendors and business partners in managing third-party relationships.

-The greatest challenge to delivering information security projects continues to be the availability of experienced IT and information security resources.

Click here to download the survey.

Computer Security back in the days

Video on the subject of Computer Security from Computer Chronicles, this was a high tech program from the 1980’s.  Dejavu? Nostalgia? Irony? or just plain history?