According to a report issued Tuesday by Deloitte, Canadian financial institutions are facing an uphill battle when it comes to protecting consumers from security threats, but they’re still doing it more successfully than most of the rest of the world.
Between November 2005 and February 2006, Deloitte conducted a study of about 150 financial institutions, 11 of which are located in Canada. These organizations included banks, insurance companies, card credit providers, payment processors and other institutions.
Canada finished second behind Japan in categories such as: the number of institutions that have chief information security officers; the number where security has risen to a level of interest that includes the board of directors and C-level executives; the number of institutions that feel they have required skills and competence to address security issues; the number who have a business continuity program; and the number who have an executive whose sole responsibility is privacy.
In Canada, for example, 64 per cent of respondents said that they have the skills necessary to tackle security, compared to 41 per cent in U.S. Approximately 91 per cent of Canadian respondents said they had the commitment and funding to address regulatory requirements (71 per cent in the U.S.)
One hundred per cent of Canadian respondents said they had an enterprise-wide business continuity management program and an executive who filled a privacy role.
“There were many categories where Canada was ranked world-class,” said Adel Melek, a partner with Deloitte Canada and global leader of security and privacy issues. However, he added, while respondents “were certainly truthful and transparent in their responses . . . it’s not all rosy.”
The study also discovered that 78 per cent of Canadian respondents said they had been subject to external security breaches in the last 12 months (49 per cent experienced an internal breach). Also, the amount of IT budget that Canadian institutions dedicate to security is less than that in the U.S., U.K. and other western nations (one to three per cent).
According to the study, banks the world over are being subjected to more and more sophisticated phishing and pharming schemes (the practice of sending out phoney e-mails or setting up fake Web sites in an effort to capture personal data from unsuspecting consumers).
Deloitte reports that 51 per cent of all external threats are phishing and pharming attacks. Spyware and malware accounts for a further 48 per cent. Most of these schemes are perpetrated by organized criminal attacks rather than what has become the stereotypical model of “script kiddies” or hackers working alone.
The threats are very real and growing “more and more sophisticated every day,” said Toronto-based security consultant Mary Kirwan, principal of Headfry Inc. Phishers are targeting particularly lucrative groups of people, she added. “They’re looking at sub-sections, almost like data marketers would look at consumers.”
It’s in the banks’ interest to make the Web a safe environment in which to conduct financial transactions, she said. Web banking is “a huge cost-saving mechanism for the banks and they’re very anxious to preserve that medium. They’re very concerned about it.”
Canadian institutions are meeting with some success, said Melek and are getting better at authenticating consumers who bank online. Aside from the login data a consumer will provide, they might also be identified by their IP address. If the point of origin appears suspect, then the account might be flagged.
“It’s probably going to be intercepted and you’re probably going to be asked a couple of questions,” said Melek.
Canadian banks have suffered their fair share of embarrassments, such as when the CIBC accidentally faxed customer data to a scrapyard in West Virginia, but these are the rare exception rather than the norm, said Melek.