According to the report, which assessed 18 firms, some major
companies, particularly in the banking sector, have responded well
to threats from hackers, fraudsters and phishing attacks, but other
sectors and SMEs have a lot to do.
Although financial losses to firms and customers were found to
be low, firms could do more to address the potential risks rather
than responding to attacks once they have occurred. In particular,
said the FSA, senior management needs to take on responsibility for
information security, which includes the need for firms' defences
to be continuously reviewed and updated to keep on top of the
increasingly sophisticated methods used by criminals.
"Hackers and fraudsters are refining and improving their
techniques as we speak," said Philip Robinson, Financial Crime
Sector Leader at the FSA. "In the fight against fraud, firms will
have to run to stand still if they are to protect their assets and
those of their customers."
"Having been the target of criminals in recent times, via the
internet and other technologies, the major banks tend to have
strong defences in place. But there is no room for complacency and
criminals will seek to exploit vulnerable points where they can
find them, including in other sectors or smaller firms," he
warned.
According to the report, traditional threats to information
security still existed in some firms because they did not invest
adequately in their security frameworks. Some did not properly
control employee access rights or user administration in their
networks. Legacy systems with poor security design were also
identified as a common threat.
Few firms were found to have built relations with the various
industry bodies and government agencies that are working to reduce
financial crime, and many small-to-medium sized firms were unaware
of the support available to them from schemes designed to offer
advice on best practice.
The report also highlighted the growing evidence that organised
crime groups are deliberately targeting firms to place staff to
commit financial crime, particularly identity theft. Firms must vet
their staff carefully before confirming their appointment, warned
the FSA.
According to the report, firms should also be aware of the risks
associated with the use of instant messaging, PDAs and other
portable devices with a USB (Universal Serial Bus) connection – one
of the main standards for connecting devices to computers - all of
which could be used to steal or transfer corporate information.
Such devices could also introduce malware, such as viruses, into
the corporate network, and firms should raise employee awareness
about the risks associated with connecting personal devices to the
company systems, warned the watchdog.
These new threats, the report concluded, have served to remind
firms of the need to secure their assets and those of their
customers from both internal and external threats. Security
awareness campaigns for customers were also identified as an
effective defence strategy being used by firms.
"Firms should follow a preventative approach rather than
reacting to a situation once it has happened which can be costly
and damaging to reputation," said Robinson. "Consumers must also
take steps to prevent attacks from fraudsters, by taking care when
disclosing their personal details or following the security tips
offered by their on-line banking service."
This advice was underlined by the Association for Payment
Clearing Services (APACS) last week when, speaking to the BBC,
APACS director of corporate communications Sandra Quinn confirmed
that in future years customers who did not take reasonable care in
dealing with unsolicited e-mail might not be refunded for their
losses if they then fell victim to a phishing attack.
"We want to make sure customers know what types of frauds there
are and how to avoid being a victim," she explained. "While
customers don't know of all the risks, the safety net exists."
"What we have always said is that we won't forever provide a
guarantee," Miss Quinn told the BBC.
