Symantec Corp. today released the findings of its Symantec Security Check – Indian Financial Services Industry 2011 (Banking, Financial Services and Insurance industries) report.
The findings, close on the heels of the ensuing deadline for banks to comply with RBI (Reserve Bank of India) guidelines, reveal regulatory and governance mandates as a key driver of IT security for 50 percent of financial services enterprises. Increasing e-commerce and mobile transactions were identified by one in five enterprises as another reason for increased adoption of security.
Survey Highlights
Digital attacks prove costly: During the last financial year, 23 percent of respondents experienced an external attack ranging from phishing attempts, theft of proprietary information and denial of service attacks. External theft of confidential information was faced an average of 1.5 times and internal theft of information an average of 5.8 times.
Financial services enterprises face significant financial losses due to security breaches, with the average loss being Rs 6.86 crore (Rs 68.6 million). This figure was nearly double for Indian banks, at Rs 12.6 crore (Rs 126 million). Sixty-seven percent of respondents that experienced a data breach lost man hours, and 61 percent stated that they had lost customers as a result. More than 80 percent of respondents have faced downtime due to online attacks, and took an average of four hours to resume normal operations.
Compliance and governance driving IT security adoption: 50 percent of respondents from financial services enterprises in India cited compliance as the primary driver for adopting IT security. In fact, one in four respondents that experienced a digital attack faced monetary penalization.
Over the last year, RBI has mandated two factor authentication at banks for all delivery channels. In the past 12 months, 31 percent of respondent-banks invested in identity management, and state that investment in technologies to address such regulations is likely to continue. According to the survey, technology investments during the next financial year will be made towards stronger governance, business continuity planning, securing mobile and wireless transactions, data loss prevention and network security.
Mobility and Consumerization of IT pose security risks: The risk of exposing confidential information is increasing as customers explore new channels for financial transactions through e-commerce and mobile banking. Besides increased mobile and online transactions (18 percent), growing internal threats (15 percent) are also significant factors driving security adoption. The survey revealed that eight out of ten employees at respondent organizations use endpoints, and that currently 81 percent of smart phone users in these organizations access corporate information, and 57 percent use instant messaging.
“CIOs at financial services enterprises in India are concerned about the security of their information and related losses, leading to crucial attention towards IT governance,” said Ajay Goel, managing director, India and SAARC, Symantec. “RBI guidelines, the impending Basel III compliance and the IT (Amendment) Act 2008 regulations are compelling the financial sector to take a close look at how they secure and manage their information.”
Threats Targeting Financial Information
Recommendations
Financial Services organizations need to develop and enforce IT policies and automate their compliance processes. By prioritizing risks and defining policies that span across all locations, businesses can enforce policies through built-in automation and workflow to protect information, identify threats, and remediate incidents as they occur or anticipate them before they happen.
Businesses need to protect information proactively by taking an information-centric approach to protect both information and interactions. Taking a content-aware approach to protecting information is key in identifying and classifying confidential, sensitive information, knowing where it resides, who has access to it, and how it is coming in or leaving an organization. Proactively encrypting endpoints will also help organizations minimize the consequences associated with lost devices.
To help control access, IT administrators need to validate the identities of users, sites and devices throughout their organizations. Furthermore, they need to provide trusted connections and authenticate transactions where appropriate.
Organizations need to manage systems by implementing secure operating environments, distributing and enforcing patch levels, automating processes to streamline efficiency, and monitoring and reporting on system status.
Finally, organizations need to protect their infrastructure by securing all of their endpoints-including the growing number of mobile devices-along with messaging and Web environments. Defending critical internal servers and implementing the ability to back up and recover data should be priorities. In addition, organizations need visibility, security intelligence and ongoing malware assessments of their environments to respond to threats rapidly.
