Financial services firms are failing to monitor their computer systems adequately for hacking attacks, a report by the Financial Services Authority has revealed.
The city watchdog audited 18 financial services firms and identified weaknesses in external intrusion detection monitoring and internal network management.
Several firms had failed to deploy intrusion detection software. Others had software in place, but lacked the expertise to use it effectively.
In some cases firms were swamped with too many false positives to make sense of the data.
The FSA also discovered a range of poor internal security practices, including the failure of companies to identify redundant e-mail accounts, failure to delete access rights when staff move, and the failure by companies to review the effectiveness of their outsourcing arrangements.
In one case a firm had placed its system administrator passwords in a sealed envelope in a locked fireproof safe, not realising that that passwords had been posted in a word document on a public part of its network.
While some large firms appear to have made progress, small and medium-sized firms continue to carry more serious and substantial information security risks, the FSA concludes.
Information security frameworks, including risk management processes are not yet widely developed and many old risks from legacy systems with poor security remain.