TORONTO – Hackers target the Toronto-Dominion Bank's internal systems at all hours, using cutting-edge techniques, but the bank's security head does not lose their sleep – they work for him, after all.
The bank set a "red team" of ethics hackers at the end of last year – cyber professionals who are trying to break a computer network to test or evaluate security on behalf of their owners – who are constantly attacking their own networks, said Alex Lovinger, TD Bank Vice President for Cyber Threat Management.
"We do exactly as our opponents do … So if we find a weakness or something like that, we can close it or approach it to a real attacker," he said.
The largest banks in Canada are strengthening their defense by employing their own ethical hackers to test their systems as the frequency and sophistication of cyber growths grow.
A Senate report last month, titled "Cyber.Assault: Should Keep You At Night at Night," sounded alarming about the possible consequences of major cyberattacks in Canada.
"While some federal progress has been made over the past year, there is much more than the federal government and Canadians have to do to protect us," the Standing Senate Committee on Bank, Trade and Commerce said. "We have to make the right steps now, or soon we will all be victims."
Canadian bank governor Stephen Poloz voiced concern over a cyber-attack.
In 2017, 21% of Canadian businesses reported they were affected by a cyber security incident that affected their operations, according to Statistics Canada. Banking institutions, not including investment banks, reported the highest level of incidents at 47%, followed by universities and the pipeline transport subsector, according to the agency.
New regulations requiring Canadian businesses to alert their customers to privacy or to deal with large fines have entered into force earlier this month.
In May, Montreal Bank and Canadian Imperial Bank of Commerce, Simplii Financial digital banking, said thousands of customers could have compromised their personal and financial data.
BMO said the hackers contacted the bank claiming they have data with less than 50,000 customers and that the attack comes from outside Canada. At the same time, Simplii also warned that "fraudsters" had accessed some personal and account information for approximately 40,000 customers.
DSO executive director Darryl White said she can not comment on details of privacy violations, an ongoing investigation is underway, but noted that there is a "very immaterial impact from fraud" and no impact financially significant.
"We are much smarter as each event happens, and events take place every day, there are events every hour of every day … It is an exercise of continuous improvement," White told reporters after the recent day of bank investors .
Meanwhile, the BMO also returns to in-house ethical hackers to test their systems. According to a recent post, BMO is looking for a senior manager with ethical hacking certification and whose responsibilities include managing a team of "network penetration" specialists.
The CIBC did not answer the question whether it uses ethical hackers.
"We have internal and external expertise and we work closely with industry and government to increase resistance to cyber security, intelligence of threats and best practices," the spokesman said in a statement.
The bank based in Alberta, ATB Financial in a recent post of posts, said it recruits a "senior penetration tester" with experience of hacking ethics. A spokesman for the ATB said the posting would fill a newly released role.
The bank in Nova Scotia has set up its own "red team" of hackers to test its defenses, said IT Security Officer Steve Hawkins.
"Scotiabank has used and continues to use third parties to cope with this penetration test. However, as the volume of global cyber threats has increased significantly, the Bank wants to have its own internal capabilities and create its own red team in this year, "he said.
With the series of data breaches in recent years, what worries Lovinger from TD is the cumulative amount of data that has been exposed.
"Hackers are now on a multitude of information … that they can now leverage to make more targeted attacks," he said.
The Royal Bank of Canada has had ethical hacking capabilities for several years as part of its cyber security program, said Adam Evans, vice president of cyber operations and chief intelligence officer.
"We want to make sure we're testing our defense to make sure they stay relevant," he said.
RBC has improved its IT security budget and added to its team annually. Now it has about 400 professionals in the field of cyber security, 50% more than three years ago, but there is a talent gap, Evans said.
Canada's talent demand rises by seven per cent annually and there will be more than 5,000 filling roles between 2018 and 2021, according to Deloitte. Until 2022, it is estimated that the labor force gap in the field of IT will reach 1.8 million.
Since October, 1,024 vacancies have been available for every million Canadian job ads, up five percent in the last year, according to Indeed Canada. This is 73% since the beginning of 2015, said Brendon Bernard, economist of the job search platform.
Meanwhile, several Canadian banks have made recent investments in research or capabilities abroad or at home universities to achieve cyber security talent. For example, TD opened a Tel Aviv Information Security Bureau, Scotiabank announced a partnership with an Israeli cyber security company, and RBC made a research investment at Ben Gurion University.
"With cyber talent gaps, there is something that organizations will have to address," Evans said. "Because there are not enough people out there."
The companies in this story: (TSX: RY, TSX: TD, TSX: CM, TSX: BNS, TSX: BMO)
Armina Ligaya, The Canadian Press