While financial services firms across the world continue to make budget cuts, Deloitte says the knife has passed over many information security budgets, and those firms are turning their attention to Identity and Access Management.

While the world continues to struggle with the worst economic downturn in recent memory and corporate budgets suffer as a result, information security budgets at financial services firms have remained safe from the knife, according to a study by Deloitte Touche Tomatsu (DTT). In fact, the professional services firm said that many financial services firms have increased their budgets for information security.

And for the first time, Identity and Access Management (IAM) has been the top priority of many information security organizations within financial services firms, Deloitte said. The findings were released last month in Deloitte's "2010 Global Financial Services Security Study: The Faceless Threat." The other top spending priorities include: data protection, security infrastructure improvement, regulatory and legislative compliance and information security compliance.

"The new decade marks a turning point for those of us in the information security industry," wrote Adel Melek, DTT Global Leader, Information and Technology Risk Global Financial Services Industry, and DTT Global Leader, Enterprise Risk Services Global Financial Services Industry. "We now live in an age of cyber warfare. The environment is dangerous and sinister. The children who used to make mischief in their basements are now only bit players and rarely make the news anymore. They have been superceded by organized crime, governments and individuals who make computer fraud their full-time business, either for monetary gain or competitive or technological advantage. Countries now accuse each other of cyber warfare. Every network of substantial size has been compromised in some way. Governments are appointing senior military brass to focus on cyber warfare. The stakes have never been higher and the battle is being fought in every corner of the world. It's all out there: botnets, zombie networks, Trojans, malware, spam, phishing, much of it now so sophisticated that even the most wary of us can be tricked."

While the attacks are growing more sophisticated, Deloitte noted that the chilling thing is that the perpetrators don't need to be. As proof, it cited the Mariposa botnet, which, until it was dismantled in December 2009, consisted of 8 million to 12 million zombie computers. Computers infected by Mariposa would monitor activity for passwords, bank credentials and credit card numbers and then contact a command-and-control server within the botnet. As the botnet grew, its owners were able to rent its services to other organizations for things like distributed denial-of-service (DDS) attacks.

"Mariposa was not the brainchild of brilliant computer programmers, but individuals with "limited computer skills," the report said. "They downloaded the software they needed from the Internet for less than a thousand dollars and were so unsophisticated that one of them, using his home computer, led police to his door."

"You don't have to be a large, highly sophisticated criminal enterprise to try to perpetrate breaches," Ed Powers, the Financial Services Security and Privacy Team at DTT, told eSecurityPlanet. "There's an opportunity now for smaller organizations or even individuals to get ahold of these tools. The whole notion of an underground economy has really flourished in the past couple of years. It's a very highly evolved economy that has developed. The people that are actually attacking your systems in many cases are not perpetrating fraud against you, but they're selling access to your data or to your systems."

Powers said some of these criminal organizations even have service level agreements in place.

As the threat evolves, Deloitte said that financial services firms, driven by Governance, Risk and Compliance (GRC), have made IAM a top priority for 2010. Deloitte said 44 percent of financial services firms have made IAM their top initiative.

"Key issues, borne out by the top internal/external audit findings, are access certification, knowing who has access to information, whether it is appropriate, and documenting it—and strong governance that establishes automated, continuous processes for managing user access to information resources," the report said.

IAM is no longer simply a gatekeeper technology. It can offer granular levels of access, and also has the ability to track back, keystroke by keystroke, what events took place, when and by whom.

Larger organizations, especially, are prioritizing IAM. Deloitte said 63 percent of organizations with 10,000 or more employees have made it a top priority in 2010 compared with 35 percent of organizations with less than 1,000 employees. Geographically, firms in the US and Japan are leading the charge, 67 percent and 65 percent of organizations, respectively, while only 35 percent of firms in the UK have made it a priority.

Other key findings of the study include:

  • Data loss prevention has taken on increasing urgency within financial services firms as a result of sagging confidence in their ability to thwart internal breaches. While 56 percent of respondents said they were "very confident" in their ability to stop external attacks, only 34 percent felt the same with respect to threats that originate internally. The study indicated that data loss prevention would be one of the most piloted technologies in the next 12 months.
  • Financial institutions are bracing for even greater regulatory pressure. Respondents said they are hiring more internal auditors to resolve internal and external audit findings. Additionally, organizations’ information security compliance remediation now ranks as one of the top-five security initiatives in Deloitte's survey.
  • Organizations still lack alignment between their security and business objectives. Deloitte said that while 87 percent of organizations have a security strategy or plan to have one within the next 12 months, their security functions don't get input or involvement from the lines of business when developing the security strategy. Deloitte said that means the strategy tends to be security-function driven rather than business-goals driven.
  • Financial services firms, once content to be late adopters when it comes to emerging security technologies, are becoming more proactive and have become "early majority adopters."
  • Executives responsible for information security are beginning to bring physical information, like paper, under their purview. The percentage of organizations that recognize paper-based information as part of the chief information security officer's mandate and scope has risen from 45 percent in 2009 to 59 percent in 2010.

Thor Olavsrud is a former senior editor of InternetNews.com and covers operating systems, standards and security.

Follow eSecurityPlanet on Twitter @eSecurityP.