The world's largest financial institutions have reported an alarming increase in the number of security attacks over the past year.

More than three-quarters of respondents - 78 per cent, up from 26 per cent in 2005 - confirmed a security breach from outside the organisation.

And almost half - 49 per cent, up from 35 per cent last year - experienced at least one internal breach.

The worrying findings are revealed in the 2006 Global Security Survey released by Deloitte.

The fourth annual survey consisted of interviews with senior security officers from the world's top 100 global financial institutions and acts as a global benchmark for the state of IT security in the financial sector.

Matt Perkins, partner in charge of the financial services group at Deloitte in Birmingham, said: "The types of attack, the execution and exploitation require significant resources and coordination, which implies professional hackers and organised crime have taken over a domain once ruled by 'script kiddies' and one-off hackers."

Deloitte said that in terms of the nature of attacks experienced in the past 12 months, more than half (51 per cent) of external attacks were attributed to phishing and pharming, followed by spyware/malwere utilisation (48 per cent).

Insider fraud accounted for 28 per cent and leakage of customer data at 18 per cent were cited by respondents among the top three most common internal breaches.

This year, fighting identity theft and account fraud (58 per cent), along with identity management (41 per cent), made their way into the top five security initiatives for 2006.

Another indication of the financial industry's fast response to current events and emerging threats is the presence of disaster recovery and business continuity (49 per cent) among the top five security initiatives.

The importance of a business continuity plan, following the recent string of natural global disasters, is reflected by the impressive proportion of organisations (81 per cent) that confirmed having an enterprise-wide business continuity management program in place.

Mr Perkins said, "Financial institutions are experienced in responding to an ever chang-ing security environment. They are shifting priorities and starting to take necessary measures to mitigate the various security risks and challenges.

"However, whilst it is only natural to shift focus to the most high profile or new and emerging threats, it is apparent that organisations must continue to maintain a balanced, and strategic approach to their security operations and initiatives."

Interestingly, security awareness and training dropped off the top five list of initiatives from the previous survey. While 96 per cent of respondents were concerned about employee misconduct involving IT systems, only a third (34 per cent) have provided their staff with some form of information security and privacy training over the past year.

Other key findings of the survey included:

* Ninety five per cent of participants indicated their information security budget grew over the past year. Logical access control products topped the list of security budget spending (76 per cent of respondents).

* Almost three-quarters (72 per cent) of financial institutions who experienced a security breach indicated the estimated amount of damage for the organisation, including direct and indirect costs, was in the range of $1 million.

* While the number of respondents with a chief information security officer (CISO) dropped by six per cent compared to last year (75 per cent versus 81 per cent), the life span of the position continues to grow with 22 per cent having been in the position from six to ten years, up from 13 per cent in 2005.

* Two-thirds (65 per cent) of respondents confirmed having a program to manage privacy, down by three per cent from last year.

On a regional basis, Deloitte said that Europe, Middle East and Africa (EMEA) was ranked as best in class this year when it came to the appointment of a CISO. The region has the highest percentage (91 per cent) of financial institutions with a CISO in place.

While EMEA also holds steady in other information security parameters compared to the rest of the world, it falls behind on employee training and awareness with only 41 per cent of financial institutions confirming the provision of security guidance to their staff, compared to the global average (49 per cent).

A sia Pacific (APAC), excluding Japan, was among the leading regions in the implementation of enterprise-wide business continuity management programs and managing privacy compliance (92 per cent and 85 per cent, respectively), likely as a result of the recent natural disasters that have struck the region.

However, in other areas of information security, such as appointing a CISO (23 per cent) and possessing a security strategy (33 per cent), the region is lagging behind the rest of the world. Furthermore, all respondents from the APAC region confirm encountering at least one information security breach over the past year.

Japanese respondents came out on top this year, taking the lead in eight different categories, including possessing a security strategy (93 per cent), providing employee training and awareness sessions (90 per cent), appointing an executive responsible for privacy (100 per cent) and having a program for managing privacy compliance (100 per cent). Financial institutions in Japan also reported the lowest level of security breaches (32 per cent).

For the first time since the survey's inception, all US respondents confirmed having a business continuity program in place.

Deloitte said that did not come as a surprise considering the aftermath of hurricane Katrina which wrecked havoc in the country, acting as a wake up call for the financial industry.

While three-quarters (74 per cent) of the financial institutions in this region formulated an information security strategy, only 71 per cent feel that it is getting the management buy-in required. This year, 91 per cent of US respondents, which is above the 82 per cent global average, confirmed experiencing some form of security breach.

Canada is second in class to Japan, leading the pack in six categories with all respondents (100 per cent) confirming an enterprise-wide business continuity management program, as well as having a program to mange privacy compliance (100 per cent), which is headed by a designated executive (100 per cent).

On the other end of the spectrum, this region has the highest number of financial institutions (100 per cent) that have encountered security breaches in 2005, and are among the lowest percentage of groups (55 per cent) to have provided security related education to employees.