‘You cannot stop cyber-attacks. Our target is to minimise the damage’ 

Cybersecurity has become a real headache for the banking sector of Bangladesh. Bangladesh Institute of Bank Management (BIBM)'s latest study found that 52% of banks are at high cyber risk, while some 32% are at moderate cyber risk, and only 12% are at low risk. The country's banking sector comes under a maximum of 630 cyber-attacks daily. 

The study also identified a lack of in-house IT expertise as one of the major weaknesses that put banks under cyber threats. Although the banking sector has seen significant growth in IT infrastructure, there has been a lack of security measures to protect banks from cyber attacks. The Business Standard spoke to Mahbubur Rahman Alam, associate professor at Bangladesh Institute of Bank Management (BIBM), who conducted the study to learn more.   

Our banking sector has invested 71% of its money in buying hardware and software over the past five years. But the amount of investment in cyber security is only 5%. Why are banks not interested in investing in cyber security?

There are many reasons why the banks do not want to take measures. But they do not always have the cyber security awareness of where they should invest. Sometimes, the banks follow the wait-and-see approach to see what other banks are doing and assess the benefits of investing in cyber security. Some banks have a fund crisis, while others lack awareness. 

The problem varies from bank to bank. However, the main problem is that banks never prioritise security because they do not try to understand that cyber security can be dangerous for a bank. But, after the reserve heist of Bangladesh Bank in 2016, some banks have increased their budget for cyber security. As the frequency of cyber-attacks has increased in recent years, banks are thinking of what to do about security. 

It is high time for Bangladesh to beef up cyber security because the number of cyber attacks has increased worldwide. Many countries which are under United States sanctions are desperate for dollars. They look for opportunities to hack credit card databases and foreign reserves. 

Is the motivation of hackers always money? Or are there other reasons besides money?  

Some people find it a pleasure to hack. Some hackers take hacking as a challenge and think that if they succeed, they will be famous. When a hacker becomes famous, they get a good job. Many companies buy them for millions of dollars. They have high value in the underworld market. Security companies like anti-virus companies often hire them with high salaries. They get substantial rewards. 

Again, there are states which have their own hacker groups to harm their enemies. They rear hackers for their safety too. The hacking occurs in the interest of politics too.   

For example, there is a war raging between Russia and Ukraine. If any of the countries involved can mount cyber attacks and successfully shut down banks and power stations, it benefits from the attack. India and Pakistan have been at war for a long time. North Korea hacks around the world. 

There are militant groups like ISIS, which also have hackers. The hackers work at the business enterprise level, too. If a company can damage another company, the sales of the other company increase. 

As far as I know, of all cyber attacks, 24% happened against the banks, and whenever the targets are banks, it is not always just for money alone; hackers also steal data from banks. The data from banks is sold in the underworld for crores. Companies buy these data from hackers for research and marketing purposes. 

What is the state of security of Bangladesh Bank after the reserve heist of 2016? After the incident, what improvement has taken place in the banking sector in general?

After the reserve heist in 2016, Bangladesh Bank has taken many steps to improve its security. The central bank has trained its full staff to raise awareness. The bank has bought new software and hardware to beef up its security. Bangladesh Bank is implementing big projects too in this regard. After the incident, the whole banking sector of the country is on alert. The banks started investing in security. 

But it is an ongoing process. Cyber attacks are inevitable. You cannot stop cyber attacks. Our target is to minimise the damage from cyber attacks. No one in the world can stop cyber attacks entirely. 

Are there any records of cyber attacks originating from inside our own country? 

Yes. We have found that around 2% of hacking is internal. Even some bank employees try to hack the bank they are employed in. They are those who understand IT well. For example, if an employee has not gotten a promotion and has sound knowledge in IT, they try to hack the system to take revenge. Sometimes, fired employees try to hack the bank. 

What can the banks do now to beef up the security in the banking sector? 

The main problem in the banking sector is that we don't get knowledgeable people. The existing employees do not reach the expected expertise level. Banks will have to train their employees on a regular basis to keep them updated with new technologies. Banks will have to train an employee every two years; otherwise, the technology becomes obsolete. The thumb rule is 18 months; the technology gets updated within this time. 

Next, new employees coming into the industry only have academic knowledge. This knowledge is of no use in the industry. It takes us five years to get them ready. One novice needs two years to understand the system and another three years to build expertise. In the last 20 years, we have seen that the most pressing problem in this sector is knowledge. The fund is not that big of a factor. We do not have knowledgeable personnel. 

I have proposed to set up a special institute called the Bangladesh Institute of e-Banking Research and Development (BIERD). Our neighbouring country India set up such an institute in 1996. It is 2022, and we have not taken such an initiative yet. The institute will create an IT-skilled workforce and conduct research and development. On many occasions, banks want to beef up their security, but they do not know how to do it. The institute will provide them with consultancy. 

Whenever any unwanted incident happens in a bank they usually keep it a secret. What does this mean? It means that the secrecy puts the rest of the banks at risk. In such cases, the institute will be notified, and it will place the other banks on alert. 

When the banks want to buy security products, vendors sell these products to different banks at different prices and enter into a non-disclosure agreement. As a result, many banks are ripped off. If we set up such an institute, banks will be able to seek suggestions from the institute and get help buying the right product at a fair price. The institute will also create hackers and keep the banking sector safe. 

We have seen in your study that 49% of cyber-attacks in Bangladesh come from China, North Korea and Russia. What is the reason behind this? 

If you conduct a similar study in any country worldwide, you will see that the number of attacks from these countries is higher. They mount cyber attacks worldwide. There is another reason, too: hackers know that South Asian countries are poor in knowledge and technology, making them easy targets. 

Hackers search for technically weaker countries all over the world, mainly South Asian and some African countries. There are different international indices, for example, the Cyber Security Index. Looking at these indices, they understand which country is weak and then they can hack it easily.