Today I stumbled about an interesting survey. The core result: More than three-quarters of financial institutions learn of fraud incidents when notified by their own customers. The quote I like most is: "In other words, despite the availability today of world-class fraud detection technology, despite broad awareness of the current fraud threats and incidents – nothing spreads faster than word of a breach". Fascinating, isn't it!? However, it is really somewhat irritating.

There is some reason for financial institutions not to invest as much as they could and should in security. Security comes at a cost and financial institutions still balance these costs against the fraud-related losses. I doubt that this equation really works out as expected, but I had this discussion more than once - frequently with CIOs and CISOs which don't have the budgets they'd like to have around security.

However, taking some risk is a valid approach. Given that there never ever will be the perfect security, a 100% security, everyone has to balance the cost of security and the (potential) cost of incidents happening. That's the same approach everyone uses in daily life when deciding about insurances. The fundamental problem in that area is that risks tend to be rated too low whilst costs are seen much more realistic. That's especially true when it comes to severe issues which might affect the net cash inflow, because that heavily affects the business. However, such risks are frequently ignored or missed when looking at IT security in financial institutions, leading to an underestimated risk and thus a lack of willingness to invest in security.

Another problem is the frequent lack of a holistic security strategy. Attacks at the operating system layer are still possible even when security at the application layer is good - and so on... Investing in point solutions might give the feeling of security, but it seldomly leads to real security.

However, all this doesn't explain why financial institutions not even are aware of incidents in some many situations. Even when someone takes a risk, he should have controls in place which provide the fraud information. Not doing this is just inacceptable because it moves the things from risk to uncertainty - and thus is against the governance requirements the management has to fulfill. Not knowing about fraud is a clear indicator for an insufficient risk management, because risks are just ignored.

From my perspective, financial institutions have to act in that area by looking at all risks and by acting appropriate - by at least knowing, but better mitigating these risks.

EIC 2011 will have several sessions around security for financial institutions and there will be a lot of experts from the finance industry attending - thus it's a perfect place to meet with peers and to discuss.