Canadian banks seek internal hackers to improve and test cyber security


Armina Ligaya, the Canadian Press

Published Thursday, November 22, 2018 10:32 EST

TORONTO – Hackers are targeting the internal systems of the Toronto-Dominion Bank at any time using state-of-the-art techniques, but the bank's cyber security chief is not losing sleep over them – they work for him after all.

The bank established an internal "red team" of ethical hackers last year – cybersecurity pros trying to hack into a computer network to test or evaluate their security on behalf of owners – who conduct live attacks against their own networks. said Alex Lovinger, vice president of cyber threat management at TD Bank.

"We're doing exactly as our opponents would do it … So if we find a weakness or something, we can either shut it down or solve it before a real attacker," he said.

Canada's largest banks are strengthening their defenses by hiring their own ethical hackers to test their systems as the frequency and sophistication of cyber threats increases.

A Senate report last month, entitled "cyber.assault: should keep you awake at night," sounded the alarm about the potential consequences of major cyberattacks in Canada.

"While some federal progress has been made last year, there is much more that the federal government and Canadians must do to protect us," said the report of the Senate Standing Committee on Banking, Commerce and Trade. "We must take the appropriate measures now, or soon we will all be victims."

Bank of Canada Governor Stephen Poloz also raised concerns about a cyber attack.

By 2017, 21 percent of Canadian companies reported they were impacted by a cyber security incident that affected their operations, according to Canadian statistics. Banking institutions, not including investment banks, reported the highest level of incidents at 47 percent, followed by universities and the pipeline subsector, according to the agency.

New regulations that require Canadian companies to alert their customers about privacy breaches or face heavy fines went into effect earlier this month.

In May, Bank of Montreal and the Canadian Imperial Bank of Commerce's Simplii Financial digital brand said that thousands of its customers may have their personal and financial data compromised.

The BMO reported that hackers contacted the bank, claiming to have personal data of less than 50,000 customers, and that the attack originated outside Canada. At the same time, Simplii also warned that "fraudsters" may have accessed certain personal and account information for about 40,000 customers.

BMO chief executive Darryl White said he could not comment on the details of the privacy breach as an ongoing investigation is under way but noted that there was "a very immaterial impact from a fraud perspective" and no consequence significant financial burden.

"We are much smarter than all events, and there are events every day, there are events every hour of every day … It is a continuous improvement exercise," White told reporters after the bank's recent investor.

Meanwhile, BMO is also turning to internal ethical hackers to test their systems. According to a recent job, the BMO is seeking a senior manager with ethical hacking certification and whose responsibilities include managing a team of "network penetration testing" experts.

The CIBC did not answer questions about using ethical hackers.

"We leverage internal and external expertise, and we work closely with industry and government to improve the resilience of cyber security, threat intelligence and best practices," a spokeswoman said in a statement.

Alberta Bank, ATB Financial, said in a recent job that it was recruiting a "Senior Penetration Tester" with experience in ethical hacking. An ATB spokeswoman said the job is to fill a recently vacated post.

Bank of Nova Scotia also established its own "red team" of hackers to test its defenses, said information security chief Steve Hawkins.

"As the volume of global cyber threats has increased significantly, the Bank wanted to have its own internal capabilities and created its own red team this year," he said. .

With the series of data breaches in recent years, what worries TD Lovinger is the accumulated amount of data that has been exposed.

"Hackers now rely on a wealth of information … which can now leverage more targeted attacks," he said.

Royal Bank of Canada has internal ethical hacking capabilities a few years ago as part of its cybersecurity program, said Adam Evans, vice president of cyber operations and chief information officer.

"We want to make sure we are testing our defenses to make sure they are relevant," he said.

RBC has increased its cyber security budget and increasing its staff annually. It now has about 400 cyber security professionals, 50 percent more than three years ago, but a talent gap is approaching, Evans said.

Demand for talent in Canada is rising seven percent annually and there will be more than 5,000 jobs to fill between 2018 and 2021, according to Deloitte. By 2022, the cyber-security workforce gap is expected to reach 1.8 million.

In October, there were 1,024 cybersecurity jobs for every million jobs in Canada, a 5% increase over last year, according to Indeed Canada. That's 73 percent since early 2015, said Brendon Bernard, an economist with the job search platform.

Meanwhile, several Canadian banks have made recent investments in research or training abroad or at home universities to exploit cybersecurity talent. For example, TD opened a cybersecurity-focused office in Tel Aviv, Scotiabank announced a partnership with an Israeli cybersecurity company and RBC made an investment in research at Ben-Gurion University.

"With the cyber talent gap, it's something that organizations will have to address," Evans said. "Because there simply are not enough qualified people out there."


Source link