Employees the weak link in financial sector security

Employees are the single most likely source of security incidents in the financial sector, according to a new European report.

The study from ENISA said that staff awareness and training was the way forward when it came to security, and was vital considering that breaches and the loss of customer information had the potential to cause heavy financial losses.

The nature of the financial business - with staff constantly holding and using data - also meant that downtime couldn't be afforded and IT system failure tolerated. ENISA picked out the example of how the London Stock Exchange stopped functioning.

"The poor state of data security is a serious issue for the financial markets," said ENISA executive director Andrea Pirotti. "This isn't the time to not invest in security and training for staff, as the costs and consequences there of may be business critical."

The report said that financial institutions were usually ahead of the game when it came to information security awareness,

However this was usually based around ad hoc training initiatives which were based on fraud, identity theft or social engineering.

The report said that this wasn't enough to meet legal or industry mandates, or even to reassure customers who expected their financial assets to be protected in the event of a security breach.

It said: "While consumers may not fully understand the ramifications and demands of putting in place security strategies, controls and safeguards, they still expect financial institutions to protect the money they have entrusted to them. This is called trust."

The paper also contained practical advice, a set of 20 recommendations, and case studies provided by a number of European financial organisations. It is available here.