Many types of organizations (not just financial) indicated that they are in the business of processing and storing financial information and are subject to compliance with multiple regulations, according to the recently conducted SANS Survey on Financial Service Security completed by 293 IT security professionals. SANS Institute is an information security training and certification organization.
In the survey, 32% of respondents say their organizations spend more than 25% of their security budget on meeting or providing compliance mandates. Yet, only 16% felt very prepared to fend off attacks against financial accounts.
"This survey confirms that most attacks start from within, either through abuse, misuse, or by employees falling victim to spearphishing emails," says senior SANS analyst and instructor, G. Mark Hardy, who authored the report. "However, quantifying losses is difficult, with nearly half of the survey participants unable to do so."
Of those that were able to quantify attacks on their organization, 44% suffered direct loss against impacted financial accounts and an additional 36% said they had experienced direct losses due to denial of service interrupting their business.
Survey respondents reported the most losses resulting from the following types of attacks:
- Abuse or misuse by internal employees or contractors (43%)
- Spearphishing emails (43%)
- Malware or botnet infections (42%)
Survey results also reveal that there is room for improvement in security programs.
"Vulnerability scanning, continuous monitoring, advanced firewalls, [intrusion detection systems], and [intrusion prevention systems] have the widest adoption among respondents," says Hardy, "While real-time threat intelligence and in-house security analytics have significant opportunity for increased market penetration."
The good news is that 49% of respondents plan to invest more heavily in security in the next 24 months.
"Security spending is up, but so are regulatory reporting requirements," says Hardy. "Unfortunately, compliance can siphon off scarce funds that could otherwise be used to reduce further losses."