How much confidence do financial organizations place in security controls?

The confidence financial organizations place in their security controls is only marginally better than the confidence retailers place in their controls, according to Tripwire.

Key findings from the survey of 102 financial services organizations and 151 retail organizations in the UK include:

• 65 percent of both financial and retail organizations would need between one to three days to detect a data breach on critical systems.
• 49 percent of financial respondents said that the Payment Card Industry (PCI) data security standard is the backbone of their security programs, compared with just 39 percent of retail respondents.
• 44 percent of financial respondents are unsure if their security controls would prevent the loss of customer data in the event of a data breach, compared to 38 percent of the retail respondents.

“The survey responses indicate that a surprising number of organizations are building their security programs based primarily on PCI,” said Dwayne Melancon, chief technology officer for Tripwire. “My concern is that PCI is a very prescriptive, checklist-oriented approach that is less effective if it is not coupled with a holistic risk-based security program. If these organizations stop at mere PCI compliance, they may be lured into a false sense of security.”

Melancon continued: “The majority of the organizations who responded said they could detect a breach of critical systems within one to three days. This is inconsistent with historical data that says most breaches go undiscovered for weeks, months or even longer. This survey data suggests that most organizations have a rose-colored view of their own capabilities when it comes to breach detection and response.”

Other findings reveal:

• 45 percent of respondents from financial services firms said that recent breaches have not changed the level of attention executives give to security, compared to 37 percent of retail respondents.
• Only 18 percent of financial respondents said their organization had already suffered a data breach that compromised customer data, compared to 28 percent of the retail respondents.

“It is not surprising that the financial services industry has more nascent attention and fewer detected breaches because it’s more regulated,” said Tim Erlin, director of IT security and risk strategy for Tripwire. “In many cases, regulations and their enforcement drive not only security but general situational awareness that contributes to more effective risk mitigation.”