Canadian financial firms not exempt from security breaches

More than three quarters of the world’s financial institutions, 78% surveyed by the Deloitte Touche Tohmatsu Global Financial Services Industry group, confirmed their institutions experienced a security breach from outside the organization during the past year. This number is up from 26% reporting security breaches in 2005. Almost half, 49% also confirmed they encountered at least one internal security breach, up from 35% in 2005.

“The extent and nature of these security breaches signal a new reality for the global financial industry, including Canada,” says Adel Melek, partner with Deloitte Canada and global leader of security and privacy services. “Execution and exploitation of these attacks require significant resources and coordination, which implies professional hackers and organized crime have entered the domain once ruled by ‘script kiddies’ and one off hackers. The shifting trend means organizations not only face more sophisticated and hard to track attacks, but are also challenged by increased risk and potential loss.”

Although Canadian institutions ranked second in the world in the areas of enterprise-wide business continuity management and privacy compliance programs, Canadian companies have one of the lowest proportionate security budgets as part of their IT spending compared to Western mature markets like the U.S. and the U.K.

Nearly three quarters of the financial institutions surveyed that experienced security breaches estimate damages for their organizations, including direct and indirect costs were generally in the range of US$1 million.

“The overall cost of managing breaches has actually gone down over time, but the cost of managing just two specific items, the whole issue of identity theft insider fraud, has actually skyrocketed,” says Melek. “Things we used to observe in the past — web defacement, viruses, denial of service, these have declined significantly. But it’s other targeted attacks that are costing money.”

He says in the past, when institutional costs were relatively limited to fixing internal damage, firms are more frequently on the hook to compensate consumers and spend money on advertising and consumer education to fix reputational damage.

Globally, phishing and pharming accounted for more than half of external attacks, followed by spyware and malware utilization. Phishing and pharming schemes trick people into giving out confidential information using e-mails and websites that appear to be sent or established by legitimate organizations. Pharming attacks actually hijack a company’s domain name or website address and redirect users to a fraudulent website that harvests their client information.

Spyware and malware are terms that describe a range of malicious software programs designed to deliver viruses or inflict other damage, or passively observe client computer use and harvest their keystrokes, passwords and other information.

“In the past it used to be amateur hackers who were seeking fame and glory. They weren’t trying to hide their tracks. Now we’re seeing the opposite. These are stealthier attacks and they have no interest in the attention. They want to do everything under the table, in the dark with nobody noticing,” says Melek. “We’re also starting to notice that in the past hackers would (pick) targets of opportunity — the weakest links. Now we’re seeing more targets of choice. They’re targeting very specific institutions, individuals and demographics. Obviously the objective is no longer bragging rights. It’s about financial benefit and exploitation.”

Insider fraud and leakage of customer data were the most commonly cited internal breaches, reported by 28% and 18% of survey respondents. While 96% of the senior information technology executives surveyed said they were concerned about employee misconduct involving IT systems, only 34% have provided their staff with some form of information and privacy training during the past year. In Canada, only 55% of company respondents said they have provided security related education to employees.

But Melek says the survey revealed a lot of positive comments about the state of security in Canada, particularly in the level of awareness demonstrated by company boards and executives. “Despite the fact that close to 100% of the organizations that we surveyed in Canada have experienced an external breach, I think proportionally to the size of their business and the number of transactions that they do in Canada, there is no reason to really ring the alarm bells. These breaches don’t constitute an alarming situation.”

Filed by Kate McCaffery Advisor.ca, kate.mccaffery@advisor.rogers.com

(06/13/06)