RSA 2007: Banks still struggling with IT security

Banks are still confused about how to best manage information and measure risks, according to research from Datamonitor and RSA Security.

Share

Banks are still confused about how to best manage information and measure risks, according to research from Datamonitor and RSA Security.

Most banks rely too much on IT for security and are overly confident in how effective security measures can be, according to a survey of IT directors of top tier banks from UK, France, Germany, Italy, Spain, Belgium, Netherlands and Luxembourg.

The survey findings, which were presented today at this year's RSA Security Conference Europe, showed that only 19% of banks recognised that perimeter security could not be totally effective in protecting the banks’ information.

Nearly half (47%) of respondents already focus on securing information over the perimeter. But only 43% see the need to extend the security management of their data to partners, consultants and contractors.

And almost half of respondents admitted to be complying with regulations on a case by case basis, rather than taking a more a strategic approach. Just 32% were comfortable that IT security was not managed in silos in their organisation.

Among UK banks, the majority of respondents agreed that security was more than an IT issue and there was a strong belief that information security should extend to third parties.

The survey found at UK IT directors have fewer illusions than their counterparts in other countries about the comprehensiveness of their enterprise-wide data view.

However, they were still over-confident about the capabilities of perimeter security, and only half focused on protecting information over securing the perimeter.

And 40% disagreed with the notion that information risk management should be driven at the enterprise level.

Martha Bennett, research director of financial services at Datamonitor, said that while banks were aware of the importance of managing information at a strategic level, in practice European banks remained confused about the best way forward.

“It is imperative that financial institutions do more to address information security risk, and to approach information risk management at the enterprise level.”

Bennett added: “In my experience, IT people take an IT-centric approach. Many claim they know what information is kept and who has access to it. They are overly confident that they have a view of the structure of information, because of measures put in place by banks for Basel 2 and the Data Protection Act. They think they can audit what information they have and know where it is.

"But if you were to ask them how many staff extract information onto Excel spreadsheets and then mail it or print it to distribute it, they might not be able to answer.”

RSA Conference Europe opened today in London with a keynote speech from Art Coviello, executive vice president of EMC and president of RSA. The conference, which runs until Wednesday, brings together security experts, vendors and end-users from across Europe.

Find your next job with computerworld UK jobs