The world’s largest financial institutions experienced a surge in the number of security attacks over the past year, specifically from external sources, according to a study released today by the Financial Services Industry practices of the member firms of Deloitte Touche Tohmatsu.

More than three-quarters (78%, up from 26% in 2005) of respondents confirmed a security breach from outside the organization and almost half (49%, up from 35% in 2005) experienced at least one internal breach. Canada was not exempt from this trend with all of the Canadian respondents confirming they encountered security breaches over the past year.

The survey consisted of interviews with senior security officers from the world’s top global financial institutions and acts as a global benchmark for the state of IT security and privacy in the financial services sector.

Two out of the top three most common attacks experienced by the global financial industry, both externally and internally, were deployed to extort some form of monetary gain. “Phishing” and “pharming” attributed for more than half (51%) of external attacks, followed by spyware/malware utilization (48%). Insider fraud (28%) and leakage of customer data (18%) were cited by respondents among the top three most common internal breaches.

“The extent and nature of these security breaches signal a new reality for the global financial industry, including Canada. Execution and exploitation of these attacks require significant resources and coordination, which implies professional hackers and organized crime have entered the domain once ruled by ‘script kiddies’ and one-off hackers,” says Adel Melek, Partner with Deloitte Canada and Global Leader of Security & Privacy Services.

The shift to a more sinister criminal profile of online attackers and the potential risk they represent did not go unnoticed by the financial services sector, with evidence that they have started taking steps to fend off these threats. This year, identity theft and account fraud (58%), along with identity & access management (41%), made their way into the top five security initiatives for 2006.

Another indication of the financial industry’s fast response to current events and emerging threats is the presence of disaster recovery and business continuity (49%) among the top five security initiatives. The importance of a business continuity plan, following the recent string of natural disasters around the globe, is reflected by the impressive proportion of organizations (88%) that confirmed having an enterprise-wide business continuity management program in place.

Interestingly, security awareness and training is one of the initiatives that dropped off the top five list from the previous survey. While 96% of respondents were concerned about employee misconduct involving IT systems, only a third (34%) have provided their staff with some form of information security and privacy training over the past year. The most common medium financial institutions use for security training and awareness are web page alerts and emails (63%). Other, perhaps more effective methods, such as orientation training (35%) and recognition of exemplary behaviour (9%), ranked low in utilization.

On a global comparison, Canadian respondents ranked second only to Japan, leading the pack in six categories with all respondents (100%) confirming an enterprise-wide business continuity management program, as well as having a program to manage privacy compliance (100%), which is headed by a designated executive (100%). “Deloitte’s survey indicates that while all the surveyed Canadian financial institutions experienced security breaches, the good news is that proportionately to the size of their operations in Canada, these breaches don’t constitute an alarming situation. It is also noteworthy that Canada leads the pack globally in many categories of security management,” adds Adel Melek.