Financial services companies confident in their info security, but still have work to do: report

Most executives in the global financial services industry are confident in their companies’ information security programs, but they may not be as safe as they think, a recent report suggests.

The Global State of Information Security Survey 2013, led by PricewaterhouseCoopers, included 1,338 respondents from the financial services industry, from companies of varying sizes worldwide.

Half of those respondents called themselves “front-runners” in terms of their companies’ approach to information security, meaning they have an effective strategy and execute it proactively. Only 10% admitted to lacking an effective strategy and being reactive, or “firefighters,” according to the report.

Overall, 83% of those surveyed said they were confident that their companies’ security practices are effective. Nearly a third (31%) of respondents reported no security incidents in the past year, down from 34% in 2011. Only 11% reported 50 or more incidents; however, 15% didn’t know the number for their organization.

Despite their confidence, less than half (45%) of respondents have a process to report and handle breaches to third parties that handle data, and only 46% require such third parties to comply with their companies’ own security policies, the report says.

In 2012, financial firms also reported a decrease from last year in deployment of security tools such as secure browsers and network firewalls. Fewer respondents also keep an accurate inventory of locations of employee and customer personal data when compared to 2009 and 2010, the survey results suggest.

“Economic conditions” ranked high on respondents’ lists for what determines spending plans, second only to regulatory compliance, which indicates that economic uncertainty still has a significant influence on budgets, the report says.

Nearly half (49%) of respondents cited company leadership, whether executives or boards, as an obstacle to effective security, while a lack of vision and lack of capital expenditures also made the list.

In terms of spending priorities, mobile security tops the list this year, the study suggests, with data protection enhancements and social media-related enhancements not far behind.

Many companies, though, are still behind emerging and changing technologies, the report suggests. Technology such as cloud computing, social networking and personal devices often aren’t considered in overall security plans according to the report.

Perhaps unsurprisingly, companies in the financial services industry are also unwilling to collaborate on strengthening security, mainly due to competition and an unwillingness to expose potential weaknesses or liabilities, the report says. Only 55% of respondents say their organization works with others in the industry, including competitors, according to survey results.

The PwC survey was completed between February and April 2012.