Canadian banks look to in-house hackers to test cybersecurity
Hackers are targeting Toronto-Dominion Bank’s internal systems at all hours using cutting-edge techniques, but the bank’s head of cybersecurity isn’t losing sleep over them — they work for him, after all.
The bank established late last year an in-house “red team” of ethical hackers — cybersecurity professionals who attempt to hack a computer network to test or evaluate its security on the owners’ behalf — who conduct live attacks against its own networks continuously, said Alex Lovinger, TD Bank’s vice-president of cyber threat management.
“We’re doing it exactly how our adversaries would do it ... So if we find a weakness or something like that, we can close it or address it before a real attacker,” he said.
Canada’s biggest banks are fortifying their defences by hiring their own ethical hackers to test systems as the frequency and sophistication of cyberthreats increases.
A Senate report last month entitled “cyber. assault: It should keep you up at night” sounded the alarm about the potential consequences of major cyberattacks in Canada.
“While some progress has been made federally in the past year, there is much more that the federal government and Canadians must do to protect ourselves,” said the report of the Standing Senate Committee on Banking, Trade and Commerce. “We must take the appropriate steps now, or soon we will all be victims.”
Bank of Canada governor Stephen Poloz has also raised concerns about a cyberattack.
In 2017, 21 per cent of Canadian businesses reported that they were impacted by a cyber-security incident which affected their operations, according to Statistics Canada. Banking institutions, not including investment banks, reported the highest level of incidents at 47 per cent, followed by universities and the pipeline transportation subsector, according to the agency.
New regulations that require Canadian businesses to alert their customers about privacy breaches or face hefty fines took effect at the beginning of this month.
In May, the Bank of Montreal and the Canadian Imperial Bank of Commerce’s Simplii Financial digital banking brand said thousands of their customers may have had their personal and financial data compromised.
BMO said hackers contacted the bank claiming to be in possession of the personal data of fewer than 50,000 customers, and that the attack originated outside of Canada. At the same time, Simplii also warned that “fraudsters” may have accessed certain personal and account information for about 40,000 clients.