Cyber security readiness in banks
A recent survey titled "IT security of banks in Bangladesh: threats and preparedness" carried out by the Bangladesh Institute of Bank Management (BIBM) paints a rather dismal picture of certain banks and their ability to combat cyber threats. We are informed that nearly a third of banks (28 percent) have taken no effective steps to thwart a large-scale cyber-attack. The good news is that 38 percent are fully-equipped for such an attack, but then 34 percent are partially-prepared. The presenter of the research paper Professor Mahbubur Rahman Alam outlined the areas that need a lot more attention.
We learn that system vendors who provide software to the banking sector are largely dependent on foreign software. More alarming is that 27 percent of these vendors have been found to have breached safety arrangements—what that translates into is anyone's guess. With the exponential growth of paperless transactions, i.e. the use of plastic cards, consumers are now facing a whole new range of threats that include fraud at ATMs and mobile financial transactions are increasingly falling prey to cyber frauds.
There is a general lack of IT security awareness prevalent amongst bank employees themselves. The survey has found that 18 percent scored "poor", 12 percent "very poor", while 29 percent scored "moderate"; and the senior management of the banking industry considers spending money on IT infrastructure and qualified IT personnel to be a wasteful exercise. Indeed, of the Tk 2,035 crore spent on IT systems in 2017, the bulk was spent on procurement of hardware and software and a measly 3 percent was allotted to training. What all this boils down to is that the banking sector has left itself wide open to sophisticated hacking operations and we do not need to be reminded of what happened when the central bank was attacked where hackers made off with millions in hard currency!
To quote from the report, "in the last year, 68 percent of the banks have experienced at least one attack, most commonly in the form of malware, subsequently followed by spam Phising attacks...of these, 24 percent have had their network intruded in some way of at a significant cost to the business." And it is not only financial loss that banks are counting; access to sensitive information—be it the bank's or clients' information, can and does fetch a pretty sum on the black market for stolen information. Any incident like this is bad for business because it directly affects the image and reputation of a financial institution.
It is incomprehensible that bank managements view development of human resources for IT a waste of time. The study is damning when we consider that the rate of frauds involving mobile financial services (MFS), ATM machine and plastic card transactions are higher than all other categories combined, precisely what could explain this lethargy in investing in personnel who could effectively combat cyber threats? From what is discussed in the study, building up a safety net against this online onslaught of hackers requires investment in three areas: hardware, software, IT personnel and all three go hand-in-hand.
Last year, a similar study was shared by BIBM titled "An Exploration of the Digital Banking Revolution in Bangladesh" by the same author. In the cyber security readiness section, the author had exposed some unfortunate truths about the sector as a whole. There we found that IT governance was broken into three segments, where technology constituted a mere 6 percent while process was 10 percent, but the biggest segment was people who made up 84 percent of how IT would play in the banking sector! It appears that the sector's senior management has not taken this advice to heart.
To put things into perspective, we simply have to look at cybercrime data globally. As pointed out in the study from last year, we get some sobering facts: The global cost of cybercrime will reach USD 2 billion by 2019 (https://www.juniperresearch.com/press/press-releases/cybercrime-cost-bus...), a threefold increase from the 2015 estimate of USD 500 billion. According to the Identity Theft Resource Center's (ITRC) Data Breach Report (https://www.idtheftcenter.org/new-facebook-security-breach-compromises-5...), more than 29 million records were exposed. Furthermore, Ponemon Institute's "2016 Cost of Data Breach Study: Global Analysis", which queried 383 organisations that suffered at least one breach in 2016, the average cost per breach was USD 4 million. That figure rose to USD 7 million in the US.
As we move closer to home, the BIBM study in 2017 found that 6 out of 10 (60 percent) employees use the "exact same password for everything they access. Meanwhile, 63 percent of confirmed data breaches leverage a weak, default or stolen password." Who exactly are we trying to fool here? The above statement shows a massive lack of awareness of very basic security concerns that any IT expert will point out is a major breach of standard operating practices in any cyber environment!
BIBM rightly points out that the central bank has a major role to play here. Bangladesh Bank can organise professional certification courses, like a Masters in E-banking and Certified E-Banker. It can enlist the help of other central banks in the region for such efforts. What we find in the latest study (which echoes and builds on concerns voiced during last year's study) is that we are woefully unprepared for digital security threats in the banking sector. There has been some progress made, but as we go increasingly "online" with our transactions, lagging behind in IT security because spending resources on IT human resources is considered "wasteful" is something no bank can afford, under any circumstances, in today's "connected" world.
Syed Mansur Hashim is Assistant Editor, The Daily Star.