Cybersecurity Challenges in Bangladesh’s Financial Sector
The rapid digital evolution of Bangladesh's financial sector heralds a new era of convenience and efficiency. Yet, within this technological metamorphosis, a formidable adversary emerges — the escalating challenges of cybersecurity. This intricate interplay between digital advancement and the persistent threat of cyber breaches has an immense impact on the overall financial sector, demanding a vigilant and strategic response to safeguard its integrity.
The study titled "Cybersecurity Landscape of Banking in Bangladesh and Recommendations (2022)," conducted by the Bangladesh Institute of Bank Management (BIBM), highlights the cybersecurity challenges confronting the country's banking sector. The study reveals that 52% of banks are currently at high risk of cyber threats. The sector contends with an average of 630 cyberattacks daily, with 24% originating from China, 12% from Russia, and 13% from North Korea.
As detailed in the "Bangladesh Cyber Threat Landscape 2022" report by BGD e-GOV CIRT, 3,639 bank cards issued by various Bangladeshi banks were identified on the dark web. These bank cards on the dark web expose financial institutions to the potential loss of $4,36,68,000, along with other available credit amounts in Bangladesh Taka. This risk extends to both financial organizations and individual account holders. The report pinpointed vulnerabilities in banking infrastructures that could be exploited by threat actors.
During its routine surveillance, the threat intelligence unit of the Bangladesh Government's Computer Incident Response Team (BGD e-GOV CIRT) discovered that core banking systems and internet banking gateways were accessible through the internet. This exposes the total deposit of these financial institutions.
The BIBM study reveals that a high risk of cyber-attacks looms over banks and financial institutions in Bangladesh mainly due to skilled personnel, a lack of awareness among bankers and customers, and a shortage of investment in strengthening security measures
"Insufficient cybersecurity measures are heightening the risks, with a lack of in-house IT expertise, inadequate spending on cybersecurity and training, and vendor-related security breaches identified as major weaknesses," said Md Mahbubur Rahman Alam, an associate professor of the BIBM.
Despite a substantial expansion in IT infrastructures within the banking sector, there is a concerning lack of security measures to shield banks from cyber threats. The BIBM study also reveals that since 2020, the banking sector has invested a significant sum of Tk42,609 crore in IT. In the year 2020 alone, the sector allocated Tk1,666 crore, with 71% directed towards software and hardware, a mere 3% allocated for training, and 5% for security measures. As a result, 50% of bank employees have inadequate knowledge of IT security.
Cyber security researcher Tanvir Hassan Zoha, managing director of Backdoor Private Limited (cyber security firm) said, "While predominantly focusing on short-term profit, a significant portion of private banks tends to invest inadequately in IT, putting customer data at risk. Moreover, when a plan reaches the tender stage after progressing through multiple stages in the prolonged bureaucratic process in our country, the planning may become outdated, compromising security due to the rapid nature of technological advancement."
He further added that implementing the Security Operation Centre (SOC) stood out as a crucial directive from Bangladesh Bank to fortify the banking sector, given the threat of hackers attempting to steal money through malware and ransomware. Nevertheless, a majority of banks have not adhered to the central bank's instructions to install the SOC, leading to a surge in cyber-attack incidents.
Besides reputational damage as a major reason, the involvement of many government authorities and law enforcement agencies, such as BTRC, Police, and the ICT department, in solving cybersecurity issues is responsible for concealing cybersecurity incidents by the authorities. Tanvir Hassan urges the consolidation of all the required facilities in one central point to deal with cybersecurity issues.
The number of employees in the banking sector stood at 1.94 lakh in 2020, of which only 5,875 were deployed to run their IT infrastructures. While sharing the findings, Mahbubur Rahman further noted that the challenge of producing necessary experts stems from a shortfall in educational institutes offering market-oriented programs. The sector demands high-level experts but is currently served by mediocre professionals.
However, Dr. Md. Shohrab Hossain, a professor in the Department of Computer Science and Engineering at BUET, said, "A more balanced and comprehensive investment approach is necessary. While we possess a sufficient number of homegrown experts, the primary reason for their reluctance to work in the financial sector stems from the inadequate allocation of resources within the sector."
Just as the global financial system requires a unified front against cyber threats, Bangladesh's financial sector must adopt a collaborative approach. "Efforts to strengthen defenses and regulations must be complemented by a unified approach that transcends regulatory and sectoral boundaries. Governments, financial authorities, and industry players must collaborate to devise and implement effective cybersecurity measures, ensuring the resilience of the financial system in the face of evolving cyber threats," said Mohammad Ali, Managing Director and CEO of Pubali Bank Limited.
"We often place blame on banks and financial institutions for cybersecurity-related issues. There are no alternatives but to increase digital literacy among customers. Furthermore, ensuring awareness is inevitable among customers to avoid potential threats and follow secure, threat-free financial platforms," said Tanvir Hassan.