According to Statistics Canada, in 2017, 21% of Canadian businesses reported they were impacted by a cyber-security incident that affected their daily business operations. Excluding investment banks, the statistics for banking institutions are even worse, indicating the highest level of reported incidents at a whopping 47%.
Among the list of favored targets, cyber-criminals have and will continue to take aim at Canadian Financial Institutions. With such a high reward potential, it’s never been a question of if an attack attempt will happen, but rather when it will happen.
What Are Canadian Banks Doing to Mitigate Risk?
Hiring hackers, of course. Ethical hackers, to be precise.
Over at TD Bank, in-house hackers are targeting internal networks with the most current cyber threats.
“We’re doing it exactly how our adversaries would do it. So, if we find a weakness or something like that, we can close it or address it before a real attacker.”
Alex Lovinger, Vice President of Cyber Threat Management – TD Bank
TD Bank established their in-house “red team” of ethical hackers in late 2017. According to SANS Institute, Red Teaming is a process designed to detect network and system vulnerabilities and test security by taking an attacker-like approach to system, network, and data access. This process is also known as “ethical hacking” since its ultimate purpose is to enhance security. Ethical hacking is an “art” in the sense that the “artist” must possess the skills and knowledge of a potential attacker (to imitate an attack) and the resources with which to mitigate the vulnerabilities used by attackers.
Joining Toronto-Dominion in the race to keep ahead of the latest cyber threats, Canada’s largest banks are fortifying their defenses by hiring ethical hackers, also known as “penetration testers” to test their systems as the frequency and complexity of cybercrime continues to increase.
The Importance of Proactive Penetration Testing
In May of this year, the Bank of Montreal and the Canadian Imperial Bank of Commerce’s Simplii Financial Digital banking brand announced that potentially thousands of their customers personal and financial data may have been compromised.
BMO made the statement that hackers had contacted the bank declaring possession of the personal data of nearly 50,000 customers. The attack was said to have originated outside of Canada. At the same time, Simplii announced that cyber attackers may have accessed “certain personal and account information for approximately 40,000 customers.”
Among the 90,000 affected customers, there was evidence of unauthorized transactions, including e-transfers and otherwise. Despite promises of reimbursement to customers for funds lost through unauthorized transactions airing from data breaches, client trust took a significant hit.
BMO has since turned to in-house ethical hackers to test their systems. In a recent job listing, BMO is seeking a Senior Manager with a certification in ethical hacking and whose responsibilities including managing a team of “network penetration testing” specialists and providing security communication, awareness and training for audiences ranging from senior leaders to field staff.
As part of its cyber-security program, the Royal Bank of Canada has had an in-house ethical hacking team for a few years now. Understanding the importance of staying current, RBC has been increasing its cyber-security budget and adding staff annually, to the tune of a 50% increase in staff over the past three years.
“We want to make sure that we are testing our defenses to make sure they stay relevant.”
Adam Evans, Royal Bank of Canada, Vice President of Cyber Operations
Cybersecurity Labour Shortage
Despite their best efforts, Canadian Banks are becoming increasingly aware of the cyber-security workforce gap. It is estimated that, globally, there will be approximately 3.5 million unfilled positions, within the industry, by 2021. This type of gap puts many Canadian banking institutions in a difficult situation. Qualified, experienced ethical hackers are not easy to find, and, when they are available, they demand top salaries.
Unfortunately, this makes the cyber threat environment a tough threat to manage, not only for our Financial institutions but all Canadian organizations.
The cybercriminals certainly aren’t complaining; they’re doing everything they can to take full advantage of these understaffed and unprotected organizations. As a result, a significant number of Canadian businesses, including financial organizations, remain sitting ducks, at a high risk of suffering a data breach that could potentially take years to recover from, financially and otherwise.
Without the sizeable budgets and qualified expertise (as seen in financial institutions) required to hire in-house red teams, the majority of businesses’ best solution is to hire qualified, third-party organizations to perform their penetration testing requirements. In particular, a third-party that performs testing in-house, without outsourcing further, which has the distinct propensity to reduce effectiveness and inflate costs.
At Packetlabs, we are regularly engaged by organizations who already have their own in-house red teams. Despite their best efforts, our pen testers almost always uncover previously undiscovered vulnerabilities.
A lot of people in our industry haven’t had very diverse experiences. So they don’t have enough dots to connect, and they end up with very linear solutions without a broad perspective on the problem. – Steve Jobs
Our mission to continually stay on top of current threats and vulnerabilities has helped distinguish our testing from our competitors. Often times, firms will try to commoditize security testing by performing automated testing (VA scans) with little benefit to the client. Our methodology only begins with automated testing. Thereafter, our extensive experience allows us to manually uncover high-risk vulnerabilities which are often missed by conventional testing methodologies.
We mandate training and continually learn and adopt new attack techniques for our clients. We are always digging deeper to uncover vulnerabilities that may have been overlooked. Our mission is to maintain the fact that not one of our clients have been breached by a vulnerability we’ve missed; we take this very seriously.
For more information, please contact us for in-depth information on any of the items discussed here.