Canada’s finance sector ignores security standards

Canada’s financial institutions have the lowest adoption of security standards worldwide, the least deployment of biometrics and is the only region with less than 100 per cent use of baseline technologies including anti-virus software, according to Deloitte

& Touche‘s 2003 Global Security Survey.

The results came as a surprise to Adel Melek, a global leader for Deloitte & Touche’s global financial services information security and privacy services in Toronto.

“”They were either extremely honest or this is an indication of the reality of what we’re faced with,”” Melek said. “”To some degree this is compounded by the fact that in terms of other attributes, Canadian participants featured in the top quartile.””

The study surveyed 78 of the world’s top 500 global financial institutions in the first quarter of 2003. Thirteen Canadian organizations were involved in the study, which included four of the country’s five top banks, two of Canada’s largest insurance companies as well as other financial institutions.

According to Melek, one of the most surprising results of the study is the fact that the Canadian respondents are trailing the rest of the world in adopting globally-recognized information security standards.

Richard Reiner is CEO of Toronto-based FSC Internet Corp., an information security company with clients that include TD Bank, CIBC, Bank of Montreal, Sun Life Financial and RBC Capital Markets.He wasn’t phased by the Deloitte & Touche results.

“”There are darn few security standards and they are close to brand-new in every case,”” Reiner said. “”It takes a large organization more time to adopt and evaluate standards and then put through trials before embracing something like ISO17799.””

WhiteHat Inc.‘s executive vice-president, Leanne Bucaro, said that her gut reaction was that Canada’s financial institutions are not adopting global standards because they don’t need to.

“”Our overall impression with working with Canadian financial institutions over the past 10 years is that they set the standards. They have developed their own standards that are quite secure,”” she said. WhiteHat is a Burlington, Ont.-based company specializing in security solutions.

Bucaro explained that the Canadian banking environment is different than anywhere else in the world because of its regulatory nature.

“”It’s almost peer-to-peer because of things like Internet banking and Interac. It’s very much an environment of coopetition,”” she said.

The study also highlighted that Canadian respondents indicated that fragmented products might pose a future risk.

“”While this was cited by other organizations globally, it was a consistent answer from a Canadian perspective,”” Melek said.

In terms of the adoption of biometrics, North Americans — not just Canadians — are lagging behind the rest of the world.

“”Compared to Europe and some places in the Asia Pacific, we are no farther behind than the U.S.,”” Malek said.

He said that this is likely true because biometrics is as much a cultural issue as a technological one, with Canada’s privacy legislation a major factor. According to Reiner, until the world of biometrics matures, lagging behind isn’t a bad thing.

“”Biometrics are not necessarily something we should be racing to adopt. It’s not a bad thing that we’re not leaping into the fray,”” Reiner said.

Neither Bucaro nor Reiner is quite convinced of the study’s findings regarding Canada’s financial institutions’ deployment of baseline technologies.

“”I find that hard to believe,”” Bucaro said. “”I’m not saying the study is wrong, but we’ve never come across a major corporation — and certainly never a bank — that has not fully implemented anti-virus and firewalls at a minimum. My overall reaction is that financial institutions are more proactive than reactive.””

Reiner said that despite some of the study’s negative results, financial institutions are better equipped to handle security issues than most industries.

“”There are many other industries, including many at comparable levels of risk that are vastly less prepared. It would be fascinating to see a study asking some of the same questions to different industries — you’d find dramatically different results.””

— Illustration by Jarrett Osborne

Comment: info@itbusiness.ca

Share on LinkedIn Share with Google+