UK banks ignore security audit findings

Purely to satisfy regulations

For Sale sign detail

Some UK corporates routinely ignore the findings of security audits treating them solely as a necessary step to satisfy corporate governance regulations, according to an experienced penetration tester.

Tim Ecott, managing consultant at security integrator Integralis, explained that banks and other financial institutions are told they have to carry out a penetration test to comply with audits. In some cases - perhaps five per cent - Ecott and his team discover the same faults every time. "The findings of our reports are not followed up on either by the firms themselves or their auditors. We're not talking about critical security flaws but certainly about things that need fixing and leave firms open to attack," he said.

"Some of our clients take our report to pieces and do every thing we advise but with others, it's the same things over and over again. Reports over a period of quarters could be copies of each other with just a different date," Ecott told El Reg.

In some cases companies lack the resources to put things right; and often getting new applications up on running is given priority, leaving security concerns neglected, he said. "Firms need to think about security at the beginning of projects rather than as an afterthought. Security and business objectives need to be linked." ®

Related stories

Tough local laws drive corporate security
Over-compliance is the new compliance, says former SEC Chairman
Sarbanes Oxley for IT security?
Tough local laws drive corporate security
Anti Sarbanes-Oxley mood rises in Europe
Corporate governance goals impossible - RSA

Sponsored: Network DDoS protection