Whilst some major firms, particularly in the banking sector, have built their defences in response to targeting by hackers and fraudsters, other sectors and small and medium-sized firms are less well prepared.
Although financial losses to firms and customers were found to be low, firms could do more to address the potential risks rather than responding to attacks once they have occurred. The report highlights the need for senior management to take on responsibility for information security which includes the need for firms' defences to be continuously reviewed and updated to keep on top of the increasingly sophisticated methods used by criminals.
The report, which reviewed 18 firms, is part of the FSA's new approach to fighting fraud in the financial services sector.
Philip Robinson, Financial Crime Sector Leader at the FSA, said: "Hackers and fraudsters are refining and improving their techniques as we speak. In the fight against fraud, firms will have to run to stand still if they are to protect their assets and those of their customers.
"Having been the target of criminals in recent times, via the internet and other technologies, the major banks tend to have strong defences in place. But there is no room for complacency and criminals will seek to exploit vulnerable points where they can find them, including in other sectors or smaller firms.
"Firms should follow a preventative approach rather than reacting to a situation once it has happened which can be costly and damaging to reputation. Consumers must also take steps to prevent attacks from fraudsters, by taking care when disclosing their personal details or following the security tips offered by their online banking service."
According to the report, traditional threats to information security still existed in some firms because they did not invest adequately in their security frameworks. Some did not properly control employee access rights or user administration in their networks. Legacy systems with poor security design were also identified as a common threat. However, others had responded to the emergence of new information security threats, such as 'phishing'. These new threats have served to remind firms of the need to secure their assets and those of their customers from both internal and external threats. Security awareness campaigns for customers were identified as an effective defence strategy being used by firms.
The report notes that so far, few firms have built relations with the various industry bodies and government agencies which are working to reduce financial crime and many small-to-medium size firms were unaware of the support available to them from schemes designed to offer advice on best practice. The website addresses of many of these bodies are given in the report.
Other information security threats identified in the report include:
- Recruitment: there is evidence that organised crime groups deliberately target firms to place staff to commit financial crime, particularly identity theft. Firms must vet their staff carefully before confirming their appointment
- Instant messaging: firms need to understand the risks associated with the use of instant messaging and be mindful of the FSA's handbook rule (SYSC 3.2.20) regarding the ability to have adequate records of employee dealings
- Personal Digital Assistants (PDAs), USB pens and Smart phones: these devices can be used to steal corporate information or act as sources of virus infection. Firms should raise employee awareness about the risks associated with connecting personal devices to corporate networks.