Security profesionals have been saying this for years... But I suppose it wasn't true until someone decided to do a survey...

duh

Did this survey into the bleeding obvious cost?

Maybe we need to a survey into how gullable senior managers are when it comes to surveys/research on the obvious?

> You can have the best technical systems in place...

So why don't they then?

How do "viruses and worms" affect people? Or are they talking about people sneezing out their pin or specially trained threadworms?

It's just bank sponsored "it's the customers fault not ours" nonsense.

Sometimes it will be the customers fault, of course, but equally sometimes it won't.

People? The bank is staffed by people too, just the same as the customers. Criminals tend to be people as well [which, if people are as weak as they hope their survey suggests, should mean they'll easily defeat these criminal people when they implement the "best technical systems" won't they? Hah]

And yet another blindingly obvious outcome. How much did this one cost?...

... Well duh!

Fire is Hot, The Sky is Up, and Water is Wet.

There is a very good reason I have a mug stating "It must be User Error."

"... the mathematics is impeccable, the computers are vincible, the networks are lousy, and the people are abysmal." Bruce Scneier

Hot news! Users can be stupid and computer-illiterate. Talk about stating the bleedin' obvious!

As obvious as counter-claiming that most financial institutions are money-grabbing arseholes with only the flimsiest grasp of IT security and an almost-criminal tendency to hive off their incompetence onto their customers.

Quote: "Two thirds of the companies said they did not want to be responsible for the customer's IT security..." More accurately, they don't want to be responsible for *any* security measures that might cost them money or hit their profits.

Oh, and how come El Reg seems increasingly to be punting verbatim press releases as 'news'? What was it HL Mencken said? "News is what somebody somewhere wants to suppress; all the rest is advertising."

Surely the common thread running through these incidents is MS software?

Well, there's a surprise!

Personally I tend to blame the hardware for database failures, but I think the boss is on to me.

People just need more computer training. You can't drive a car without a licence, but you can operate a complex banking software just by saying "I can".

That's about all there is to say - talk about the art of stating the bleeding obvious :-)

This is exactly what kevin Mitnick was saying years ago...

Considering that the weakest link is always human, and given enough monsy a human will do pretty much anything, this "research" shouldn't just worry banks. Any IT project is vulnerable to human intervention.

How much to swap your dna records with that of a known terrorist?

This is news? They have only just worked this out? Your system can be as secure as you like, but it only takes one idiot to write down his/her password then drop it on the train............

Mind you, anally retentive IT managers who think good password policy is to insist on random letter / number combinations and insist on the password changing every month merely encourages people to commit their passwords to paper instead of memory.

And idiots like the IT manager of a local college who sat opposite me on the train wearing his ID card around his neck for all to see don't help much either.........

Ring ring, ring ring.

"Hello, Pigpimples school of reading and writing"

"Hi, it's Joe, Joe Bloggs, the IT Manager. Who's that"

"Jane Doe"

"Oh, Hi Jane, I'm trying to fix a remote access problem and I need your username and password"...............

And 9 time out of 10, "Jane" will tell him. Well, its Joe, isn't it? She can trust him, can't she?

If the banks (or any site that needed a login) had a clue, they wouldn't send html email, full stop.

All links would be in plain text, and "tracking links" should be banned.

I once had one from Morgan Stanley in html - the links they gave to log in to my account were via a third party site, and the email was sent by yet another unknown third party.

The worrying part is the email _was_ legitimate, so I sent a complaint to the banking ombudsman to notify them of their stupid practices.

Deloitte in "open door kicked in"* shocker! Stating the obvious was never done with such professionalism.

* Dutch proverb.

Bears shit in the woods.

Wouldn't cop to it themselves would they.

A decent IT manager would factor in and prevent dumb users from shooting themselves (and the bank) in the foot. Though it's alot easier to pin the blame on someone else and enjoy your fat salary for doing no real work.

..by consultants to make their clients feel good? How unusual!

> "All of these breaches are perpetrated via the customer,"

Rubbish. How does a customers infected PC affect the banks system? Unless its actually a keylogger, but Deloittes and "senior IT executives" don't appreciate the distinction.

Stupid staff clicking on executables in emails - Oh wait, that's not an external problem, so we don't have to admit we screw up too.

And I thought that banks were going for 2-factor authentication to fix this problem? Just because it _can_ be beaten by man-in-the-middle attacks doesn't mean it's not worth doing.

Time for a bit of pedantry here. Customers are not the threat - customers are the vulnerability. The threat comes from the "viruses, worms and hacking attacks" mentioned in the article. Those threats make use of the vulnerability presented by the fallible people involved.

Threats should be removed, if at all possible.

Vulnerabilities should be patched. Training, anyone?

Yep, that's about the frequency of these 'studies' pumped out by the Big Few accounting companies in their continual jostling for relevance. (And I can recall these 'studies' back to 1982 but I'm sure they started long before I paid attention.)

Good controls (and let's not faff around with nonsense like 'security' - it gives an entirely false impression).........good controls are a balance of technology, people and process. By all means buy and install the latest and greatest electronic lock for your front door - but if you don't educate the wife on how to use it and don't maintain it then don't be surprised if the wife starts using the window to come and go.

It's timely that Deloitte point out companies' increasing reliance solely on technology as a control (more and more are doing this as it apppears to be cheaper and more manageable than those horrid, complex 'people' thingies) but any pretense at this being news simply has to make us smile.

Ah, looks like we DO need to state the bleeding obvious for some people..

IT managers are people too.

"Mind you, anally retentive IT managers who think good password policy is to insist on random letter / number combinations and insist on the password changing every month"

Yep. I absolutely hate those policies, more so when they involve "letters and numbers I pulled out of my ass, 20 password history, etc. Some systems I use have such policies, and I've run out of "secure" passwords. Ow.

That said, users are stupid, always have been, and bad practice (like HTML *email*) doesn't help a bit.

<quote>

It's just bank sponsored "it's the customers fault not ours" nonsense.

</quote>

I just assumed in this "article" that they were talking about employees getting infected/targeted... I admit I largely just skimmed through...

Initial thoughts: If a luser ends up giving away confidential info/getting a trojan, and someone gets into his acct and drains it, I wouldn't really consider that a security breach. I would consider that an expensive lesson learned, more along the lines of an inconvenience.

HOWEVER... if an internal employee was checking his Hotmail at work (you mean someone can have a personal email address that is something OTHER than Hotmail?? Ok wait, I don't follow...), and installs a trojan on his workstation, now THAT would be a security breach.

Come ON, be fair, this is Deloitte we're talking about! They routinely charge an obscene amount of money to do f**k all work before announcing the f**king obvious like it's some kind of Divine Inspiration.

When they're not doing that, they spend their time (that your company is paying through the nose for) coming up with "security measures" to inflict upon your staff/clients so your IT dept is kept busy unlocking accounts and resetting passwords because some staffer/client forgot the impossibly-long-for-anyone-not-in-IT password they had been force to adopt thanks to Deloitte's "audit".

Thanks to those dicks our help desk team spends most of its day unlocking accounts due to the "three wrong passwords in 24 hours = permanent lock-out, have to get IT to unlock" policy insisted upon by Deloitte - apparently "3 wrong in half an hour = lock for 15 minutes" wasn't stringent enough.

And many of our staff are unused to computers so the triple-complexity passwords insisted on by Deloitte are hard for them to remember - resulting in frequent lockouts and password changes.

I'm now pushing for 32 character, quadruple-complexity, passwords that change daily in conjuction with three biometrics (retina, fingerprint and DNA sample) and a token (RFID card) - not for the computers, but for the doors to keep those bastards from Deloitte out of the building!

I commonly say that a large part of network security is, "Protecting your assets from your asshats."