A report published today by the Financial Services Authority paints a mixed picture of how U.K. financial firms are managing their information security in the fight against fraud and other financial crime.

The regulator says that major firms, particularly in the banking sector, have built their defences in response to targeting by hackers and fraudsters, other sectors and small and medium-sized firms are less well prepared.

The report found that financial losses to firms and customers were low, but said firms could do more to address the potential risks rather than responding to attacks once they have occurred.

The report highlights the need for senior management to take on responsibility for information security which includes the need for firms’ defences to be continuously reviewed and updated to keep on top of the increasingly sophisticated methods used by criminals.

According to the report, traditional threats to information security still exist in some firms because they did not invest adequately in their security frameworks. Some did not properly control employee access rights or user administration in their networks. Legacy systems with poor security design were also identified as a common threat. However, others had responded to the emergence of new information security threats, such as ‘phishing’. Security awareness campaigns for customers were identified as an effective defence strategy being used by firms.

The report notes that so far, few firms have built relations with the various industry bodies and government agencies which are working to reduce financial crime and many small-to-medium size firms were unaware of the support available to them from schemes designed to offer advice on best practice.

“Hackers and fraudsters are refining and improving their techniques as we speak. In the fight against fraud, firms will have to run to stand still if they are to protect their assets and those of their customers,” said Philip Robinson, Financial Crime Sector Leader at the FSA.”

“Firms should follow a preventative approach rather than reacting to a situation once it has happened which can be costly and damaging to reputation,” Robinson said.