Financial services firms are failing to monitor their
computer systems adequately for hacking attacks, a report by the
Financial Services Authority has revealed.
The city watchdog audited 18 financial services firms and
identified weaknesses in external intrusion detection monitoring
and internal network management.
Several firms had failed to deploy intrusion detection software.
Others had software in place, but lacked the expertise to use it
effectively.
In some cases firms were swamped with too many false positives
to make sense of the data.
The FSA also discovered a range of poor internal security
practices, including the failure of companies to identify redundant
e-mail accounts, failure to delete access rights when staff move,
and the failure by companies to review the effectiveness of their
outsourcing arrangements.
In one case a firm had placed its system administrator passwords
in a sealed envelope in a locked fireproof safe, not realising that
that passwords had been posted in a word document on a public part
of its network.
While some large firms appear to have made progress, small and
medium-sized firms continue to carry more serious and substantial
information security risks, the FSA concludes.
Information security frameworks, including risk management
processes are not yet widely developed and many old risks from
legacy systems with poor security remain.