control, and governance
News: Fraud, Data Governance, and CAE Worries
Banks step up Internet security investments; inadequate “big data” governance raises risks; audit executives concerned about technology threats.
Banks Facing Fraud Head On
FFIEC guidance is behind banks’ investments in Internet security, according to a recent survey.
More than half of banks and credit unions expect to increase their fraud-fighting funding and staffing this year, according to the 2012 Faces of Fraud survey conducted by Information Security Media Group, publisher of BankInfoSecurity, and sponsored by Authentify, Guardian Analytics, i2, RSA Security, and Wolters Kluwer Financial Services. The increase in fraud resources is partly fueled by their need to comply with the Federal Financial Institutions Examination Council’s (FFIEC’s) Authentication Guidance for Internet banking issued in 2011. BankInfoSecurity recently published a summary of the survey results.
Only 11 percent of the more than 200 information security professionals surveyed say their financial institutions conform with the FFIEC guidance. Almost 30 percent don’t fully understand the guidance, and 88 percent are not convinced the guidance will reduce online fraud significantly.
“Regulation drives spending,” said George Tubin of Boston-based GT Advisors, a financial services and technology consultancy, during an April webinar that presented the survey results. “You’re in a situation where the regulators are telling you, ‘You have to do something; you have to make improvements.’”
Respondents’ top planned security investments over the next 12 months include fraud detection and monitoring systems (61 percent), improved staff training (49 percent), enhanced customer and member education (43 percent), better controls over account activities (28 percent), and more internal and external audits (27 percent).
The survey also identified the five most common forms of fraud: credit and debit card fraud, check fraud, phishing and vishing (socially engineered schemes), Automated Clearing House and wire fraud, and ATM fraud (skimming and ram raids). Interestingly, 82 percent of respondents admit that their institutions usually detected fraud events only when a consumer notified them.
— Shannon Steffee
Inadequate Governance of Burgeoning Data Creates Risks
Organizations that lack effective policies for classifying, managing, securing, and maintaining their “big data” can incur legal and reputational damage, a recent report warns.
About a year ago, business consulting firms began trumpeting the strategic value of collecting and mining “big data” — data sets so large they typically overwhelm traditional analysis tools such as spreadsheets and rudimentary relational databases. Many organizations have begun warehousing the abundant data generated by customer transactions, website visits, social media activity, and many other sources, even if they have not yet acquired the advanced technology and expertise needed to mine it productively. However, a recent survey (PDF) of about 100 U.S. IT executives by the risk and business consultancy Protiviti Inc. warns that inadequate governance of this burgeoning data can create substantial new security, privacy, and compliance risks.
Management of 23 percent of respondent organizations has limited or no understanding of the difference between its sensitive information and other data. This finding “should be considered troubling, especially given the potential ramifications related to regulatory compliance and reputation damage” of mishandling personally identifiable information, the survey report says. For example, the U.S. federal government and all but four states have enacted punitive data privacy laws.
Although 69 percent of respondent organizations understand the attributes that make some information sensitive and have adopted a policy directing this categorization to take place, only half have instituted a system for ensuring compliance with the policy.
Survey respondents seem to understand the longer data is retained, the greater the risk it will be breached. More specifically, 63 percent of respondent organizations have developed data-sensitivity based retention and destruction policies. Almost one-fourth (22 percent) destroy all data after it is retained for a predetermined period regardless of its classification. However, 7 percent retain all data indefinitely. Not having a classification-based retention/destruction policy and implementation system “creates unnecessary risks with regard to security and regulatory compliance,” the report says.
— Al Holzinger
Technology and Security Risks Top List of CAE Worries
Recent bad experiences have audit executives raising their guard against IT threats, a recent study notes.
Risks arising from the adoption of new technologies are the principal concerns of 300 chief audit executives (CAEs) recently polled (PDF) by the public accountancy Grant Thornton LLP. The greatest among these frets, with apparent good reason, is information security, according to an executive summary of the survey results, Rising to New Challenges: The View From the Office of the CAE.
Far and away the greatest security concern, cited by 81 percent of survey participants, is the privacy of customer and employee data. Other substantial worries are the safety of mobile computing (63 percent) and potential loss issues stemming from migration to cloud computing (55 percent). Of note, one-third of respondent organizations have moved at least some of their IT operations to the cloud during the past 12 months, up 8 percent from the previous year.
Respondents’ concerns about information security generally are based on recent bad experiences. More than half of participating CAEs (56 percent) report their organization had as many as 10 cybersecurity incidents in the past 12 months. Sixteen percent of respondent organizations had to report one or more of those breaches to regulators or customers. A plurality of respondents (42 percent) say external sources such as organized hacker groups pose the greatest threat to their organization’s information resources, followed closely by employees and other “trusted” sources (38 percent).
“Not surprisingly, emerging risks are on the minds of CAEs,” Grant Thornton partner Warren Stippich says in a press release. “With cybersecurity threats becoming ever more common, internal audit needs to make evaluating data security a key part of the audit plan.” The full survey report will be released in stages during the coming months.
— Al Holzinger
COMMENT ON THIS ARTICLE
Internal Auditor is pleased to provide you an opportunity to share your thoughts about the articles posted on this site. Some comments may be reprinted elsewhere, online, or offline. We encourage lively, open discussion and only ask that you refrain from personal comments and remarks that are off topic. Internal Auditor reserves the right to edit/remove comments.