Aussie banks spend up on IT security: survey

Financial services firms in the Asia Pacific are refreshing information security governance and strategy documents to reflect technological change and regulatory pressures, according to Deloitte.

The refresh is high on the list of IT security initiatives being progressed by banks and insurance firms this year, according to topline results from the forthcoming Deloitte 2012 Global Financial Services Industry Security Survey.

"We were a little surprised [about] information security governance and ... strategy because companies have had these in place for a long time," Deloitte Australia's security and resiliency services partner Tommy Viljoen said.

"But what we're seeing is that companies are having to refresh these documents in light of the technological changes that are happening as well as regulatory pressures."

Viljoen said that regulatory pressure to keep security governance and policies up-to-date was "massive" overseas.

"From a business perspective, the regulators have become much more engaged in terms of ensuring security is at the level that it should be," he said.

Deloitte found that Australian banks were driven to focus on IT security as they sought to make greater use of mobile channels.

Financial services firms were generally highly engaged when it came to IT security, the survey found.

"Whereas years ago it was seen as an IT solution and IT were told to go and fix it, we're seeing business far more engaged," Viljoen said.

"We've also seen a lot more integration of security into the business risk frameworks, the operational risk frameworks as well as the enterprise risk frameworks.

"I think this is really important because you don't want security out on a limb on its own. It really needs to be owned by the business."

Financial services firms in Asia Pacific were generally not as constrained as their global counterparts when it came to IT security budgets.

More than 70 percent of banks globally dedicated at least one-to-three percent of their IT budgets to information security, the survey found.

About half of respondents in Asia Pacific saw IT security budgets increase year-on-year.

"I'm actually quite encouraged by that," Viljoen noted. "If I compare it to global [figures], I'd rather be in Australia."

Unlike other parts of the world, there was no one clear attack vector that dominated the security threats experienced by financial firms in Asia Pacific.

Espionage, online platforms, fraud and third-party security breaches were equally threatening in Asia Pacific, while hacktivism was a distant equal fifth.

The dispersed threat meant IT security spending had to be similarly diverse.

"Obviously that means ... we can't focus our spending on any one area," Viljoen said.

"We've got to continue to be broad in the way we attack and manage security."

Viljoen was happy to be combating a broader base of threats, rather than see the threats concentrated in a single area.

"[Otherwise] the danger is we focus on one particular type of threat vector and we really tie that one down, but you're always going to find security is about the weakest link so you cannot focus on only one area," he said.

The full survey results are expected to be released later this year.

Copyright © SC Magazine, Australia