Security investment neglected: Banks of BD face up to 300 malwares a day

block

bdnews24.com :
A study reveals poor knowledge and insufficient investment in cyber security in Bangladesh’s banks, despite the fact that they are facing different types of cyber attacks every day.
Md Mahbubur Rahman Alam, associate professor of Bangladesh Institute of Bank Management (BIBM), said banks face up to 300 malicious software attacks a day, 60 percent of them by the local hackers who he said can be trained as an “ethical hackers” for defence.
He disclosed his study findings at a seminar on cyber defence on Saturday in the wake of the recent Bangladesh Bank cyber heist that led to $101 million reserves being stolen.
The Chief Technical Officer (CTO) Forum Bangladesh organised the seminar, with the support of cyber security solutions FireEye, the Mandiant – A FireEye Company and TVN -An ADN Company, to make bank executives and technical professionals aware of the latest in cyber defense.
Global security experts along with Bangladesh officials including central bank executive director Subhankar Saha spoke at the seminar. Alam said, since the central bank’s incident, he has observed a growing interest among bank managements to invest on IT development. They have been pouring money into gap analysis and training.
“But even then 8 percent managements are reluctant to invest in IT and 24 percent will wait for the central bank’s directives,” he said.
“They don’t invest in IT, but they blame IT after incidents”.
While seventy percent banks have no separate and independent IT security and risks management division, many banks have installed costly software in an “ineffective way”.
Prevention is not enough
Estimated Tk300 billion have been invested in banks’ IT development since 1968 when Agrani Bank first installed a computer.
Each year Tk10 billion is being invested in the IT processes in the overall banking segment except in the central bank. But the major portion of the budget goes to buying hardware first, and then software.
Budget for security, training and audit was “very poor” in the last four years, the study found. Only 4 percent of the IT budget is being used for security purposes and 2 percent for training
But cyber attack has become the key threat for any system’s security with the technological advancement. Subhendu Sahu, head of commercial sales for the Asia Pacific Japan region for FireEye said, about 60 percent organisations come to know from external sources that they have been attacked. He said with the technological advancement the threat also increases, and the average time to contain a cyber attack has also increased. It took 31 days in 2014, after 27 days in 2013.
“It takes an average 164 days just to get to know that your security has been breached,” he said. “Prevention is not enough. The best prevention solution can be breached. Always keep in mind that you will be breached.” “And for that there are some preparations,” he suggested to the technical professionals at the seminar.
He said preparing for the breach should be a part of the daily security routine of a company.
“The company should draw up a detailed plan and select those from the board who will deal with the attack when it happens. Each incident is unique.” “But today is the best time for prepare,” he said, insisting that companies should not wait to be attacked.
“The whole security compliance should be looked at from the attackers’ point of view, not the consumers.”
Five key pillars
According to the security experts, a company must have the capabilities to identify, detect, protect, respond to and recover cyber security management. The security experts at the seminar said those were the five key pillars. But the BIBM teacher, Alam, lamented that when he asked 25 Chief Technical Officers about those pillars, they replied: “We don’t know”.
“Seventy-four percent IT heads lack ‘adequate knowledge’ of IT security,” he said citing his study that also found that banks had to spend money for many purposes particularly reimbursements, and audit and consulting services, after facing software attacks.
“But banks do not want to spend money for improving the IT security department,” he said, adding that the IT department is poorly staffed and those who work there are overburdened.
“This is also a risk from the security point of view. They may cause intentional or unintentional security harms”.
“It is very much alarming that 91 percent banks do not have Data leakage prevention (DLP) solution. To protect sensitive data, banks should introduce DLP as soon as possible,” he said.
The DLP solution is a system designed to detect potential data breach and protect data from any type of malicious activity.
Alam suggested setting up an information sharing and analysis centre – as India did 20 years ago-so that all financial institutes can be notified if an incident happens at a bank.
“What happened in the Bangladesh Bank, other banks came to know a month later, but by this time, they could face a similar kind of cyber security threat. If they knew, they would be alert.”
He said the central bank can also develop “ethical hackers” like Singapore and Malaysia who will help the other banks know their “vulnerability”.

block