Md Mahbubur Rahman Alam, associate professor of Bangladesh Institute of Bank Management (BIBM), said banks face up to 300 malicious software attacks a day, 60 percent of them by the local hackers who he said can be trained as “ethical hackers” for defence.

He presented his study findings at a seminar on cyber defence on Saturday in the wake of the recent Bangladesh Bank cyber heist that led to $101 million being stolen.

The Chief Technical Officer (CTO) Forum Bangladesh organised the seminar, with the support of cyber security solutions FireEye and TVN, an ADN company, to make bank executives and technical professionals aware of the latest in cyber defence.

Global security experts along with Bangladesh officials including central bank executive director Subhankar Saha spoke at the seminar.

Alam said since the central bank’s incident, he has observed a growing interest among bank managements to invest on IT development. They have been pouring money into gap analysis and training.

“But even then eight percent managements are reluctant to invest in IT and 24 percent will wait for the central bank’s directives,” he said.

“They don’t invest in IT, but they blame IT after incidents”.

While seventy percent banks have no separate and independent IT security and risks management division, many banks have installed costly software in an “ineffective way”, the study found.

Prevention is not enough

An estimated Tk 300 billion has been invested in banks’ IT development since 1968 when Agrani Bank first installed a computer.

Each year Tk 10 billion is being invested in the IT processes in the overall banking segment except in the central bank.

But a major portion of the budget goes to buying hardware first, and then software.

Allocation for security, training and audit was “very poor” in the last four years, the study found. Only four percent of the IT budget is being used for security purposes and two percent for training

But cyber attack has become the key threat for any system’s security with the technological advancement.

Subhendu Sahu, head of commercial sales for the Asia Pacific region for FireEye said, about 60 percent organisations come to know from external sources that they have been attacked.

He said with the technological advancement the threat also increases, and the average time to contain a cyber attack has also increased. It took 31 days in 2014, 27 days in 2013.

“It takes an average 164 days just to get to know that your security has been breached,” he said.

“Prevention is not enough. The best prevention solution can be breached. Always keep in mind that you will be breached.”

“And for that there are some preparation,” he suggested.

He said preparing for the breach should be a part of the daily security routine of a company.

“The company should draw up a detailed plan and select those from the board who will deal with the attack when it happens. Each incident is unique.”

“But today is the best time for preparation,” he said, insisting that companies should not wait to be attacked.

“The whole security compliance should be looked at from the attackers’ point of view, not the consumers.”

Five key pillars

According to the security experts, a company must have the capabilities to identify, detect, protect itself from, respond to and recover from cyber security attacks.

The security experts at the seminar said those were the five key pillars. But the BIBM teacher, Alam, lamented that when he asked 25 Chief Technical Officers about those pillars, they replied: “We don’t know”.

“Seventy-four percent IT heads lack ‘adequate knowledge’ of IT security,” he said citing his study that also found that banks had to spend money for many purposes particularly reimbursements, and audit and consulting services, after facing software attacks.

“But banks do not want to spend money on improving the IT security department,” he said, adding that the IT departments are poorly staffed and those who work there are overburdened.

“This is also a risk from the security point of view. They may cause intentional or unintentional security harms”.

“It is very much alarming that 91 percent banks do not have Data leakage prevention (DLP) solution. To protect sensitive data, banks should introduce DLP as soon as possible,” he said.

The DLP solution is a system designed to detect potential data breach and protect data from any type of malicious activity.

Alam suggested setting up of an information sharing and analysis centre – as India did 20 years ago -- so that all financial institutes can be notified if an incident happens at a bank.

“What happened in the Bangladesh Bank, other banks came to know a month later, but by this time, they could face a similar kind of cyber security threat. If they knew, they would be alert.”

He said the central bank can also develop “ethical hackers” like Singapore and Malaysia who will help the other banks know their “vulnerability”.