Employees as big a risk as hackers

2007

Company audit committees are worried their boards are not spending enough time, money and effort on IT security and want a greater say on the issue, as new research has shown employees are responsible for almost a third of IT breaches within financial services organisations.

Two polls, one by KPMG and the other by Deloitte & Touche, have painted a picture of rising concern over the security of IT systems, with firms increasingly recognising that the internal threat from either malicious or simply thoughtless employees is as great as that posed by external hackers.

The KPMG poll of more than 1,300 audit committee members in 25 countries has found that nearly a third are unsatisfied that their committee spends sufficient time looking at IT risk issues, with six out 10 only "somewhat" satisfied.

Two thirds of audit committee members said they had primary oversight responsibility for issues relating to IT compliance and controls with half taking responsibility for oversight of business continuity issues.

While 45 per cent did have responsibility for information security and privacy, a fifth complained they had no oversight responsibility for this important area at all.

Its findings come against a backdrop of growing fears about IT security, particularly within the financial services sector.

Almost two thirds of financial services organisations polled by Deloitte reported external security breaches, with virtually all saying that investment in information security was rising as a result of increasing board-level focus on the issue.

Worryingly, almost a third of these breaches were down to employees, either through misconduct or unintentional errors and omissions.

The overwhelming majority of financial services organisations polled (91 per cent) said they were concerned about the risks arising internally.

Despite this, almost a quarter had provided no employee security training over the past year and only a third said their staff were well skilled to respond to security needs.

Mike Maddison, UK head of security and privacy services at Deloitte, said: "You can have the best technical systems in place but they are unlikely to operate effectively unless you educate people on their obligations and how to fulfil them."

Fewer than two thirds of the banks polled said they had an information security strategy in place, and just a tenth had their information security led by business line leaders.

What this meant, said Deloitte, was the emergence of a security paradox. Security incidents were continuing to grab business executives' attention but "ownership" of the underlying problems was still perceived to rest with IT departments.

"On the one hand, it is clear that senior executives know there are actions they must take to improve security to protect their customers' data for very good business reasons," said Maddison.

"On the other hand when it comes to taking action it once again becomes a technical problem. Despite these challenges, knowing that the problem exists is at least half the battle, so financial institutions are definitely moving in the right direction," he added.

Virtually all the organisations surveyed had increased their IT security budgets, although more than a third still felt investment was lagging behind business needs, the survey found.

Shifting priorities and "integration problems" were identified as the top reasons for information security project failures, it added.

For KPMG, Tim Copnell, director of its Audit Committee Institute in the UK, agreed that there was a gap between boards recognising there was a problem and being prepared to deal with it.

"The survey showed that nine out of 10 audit committee members felt they had improvements to make in the oversight of IT risk issues," he said.

"This is a worrying trend given that organisations are now so dependent on IT. If audit committees (or equivalent bodies) are not able to give sufficient attention to the oversight of IT risk, companies might be unwittingly exposed to risk," he added.

"Some boards may consider the oversight of IT risk to fall outside the remit of the audit committee. If a separate committee or the board itself takes up the mantle, the board must be satisfied that they have access to sufficient skills to examine the issues appropriately," he continued.

The typical audit committee now comprised three or four members, often with a chief executive or chief finance officer background, who served on one or two audit committees in total.

They met on average six times a year (five times face to face and once by teleconference call), although this ranged from more than seven times a year in the Americas to around four times a year in Africa.

On average, audit committee members devoted 100 hours a year or fewer to their duties.

In the Americas, a fifth said they devoted between 100 and 150 hours whereas in Asia four out of 10 spent fewer than than 50 hours a year on their duties.