Canadian financial institutions rate themselves as highly as their U.S. counterparts on the use of investment technology security tools, early adoption of new technologies, and performance of ‘ethical hacking’ and penetration testing.

But they do poorly when it comes to adopting security standards worldwide, while Canada is the only region with less than total deployment of technologies such as anti-virus software.

Those are some of the findings of a new survey by Deloitte & Touche on global IT security. The survey interviewed top security officers from 78 of the world’s 500 leading global financial institutions, conducted in first quarter of this year. In Canada, 13 of the largest financial institutions participated in the survey.

“The findings also reveal Canadian institutions rate themselves as highly as their U.S. counterparts on the use of security tools, early adoption of new technologies, and performance of ‘ethical hacking’ and penetration testing,” Deloitte & Touche said in a statement. “On the other hand, Canadian respondents have the lowest adoption of security standards worldwide and is the only region with materially less than 100% deployment of base line technologies such as anti-virus software. Canada also has the least deployment of biometrics among all regions surveyed.”

“The low rate of adoption of security standards and low deployment of base line technologies in Canada comes as a significant surprise,” said Adel Melek, global leader, Deloitte & Touche Global Financial Services Information Security & Privacy Services. “Fortunately, Canadian institutions remain in the top quartile, and indicated that they are not limited by budget constraints interfering with the adoption of security standards. As ‘early adopters’ of new technologies, Canadian institutions are also well poised to observe the disparate levels of product maturity in security products.”

Deloitte & Touche said that according to the survey, Canada’s financial institutions also believe fragmented security products contribute to a lack of unified security programs that may present future risks.

The survey also found that Canadian respondents are most driven by the activities of their competitors, while they are the least concerned over availability of qualified security resources, budgets and the increased sophistication of security threats. In addition, Canadian respondents reported the highest connectivity among financial institutions globally, primarily thanks to the Interac network of shared banking and electronic payment networks.

In other highlights, the survey found that:

  • financial institutions around the world have implemented a variety of IT security practices and technologies, maintained or even increased security budgets, and boosted IT security staffing levels, despite the worldwide economic downturn. However, these organizations still have room for improvement in terms of establishing privacy standards and shoring up defences against external threats;
  • 80% of respondents reported having a formal information security strategy in place, while 61% have a chief security officer or chief information security officer on staff. However, 39% of those surveyed reported having experienced a substantial security breach within the past year;
  • of those institutions that reported a breach, only 10% of those attacks stemmed from an internal source — a number that contradicts the common belief until now that the vast majority of cyber crime originates from within the organization, rather than from an external attack;
  • while 80% of respondents have a formal information security strategy in place, only 47% said that line and functional leaders lead and embrace the strategy;
  • 63% of respondents said management perceives spending on IT security to be a necessary cost of doing business today, rather than a discretionary expense;
  • only 5% of respondents are “extremely confident” about how well their organization’s systems are protected from attacks;
  • security typically accounts for only 6-8% of an organizations’ overall IT budget.