Published in The Daily Observer on Tuesday, 10 May 2016
70 pc banks lack IT security infrastructure
BIBM research reveals
Around 70 per cent banks have no separate and independent IT security and risks management division or infrastructure, a BIBM research reveals.
The Bangladesh Institute of Bank Management also found that around 52 per cent banks are in high risks of information loss at any moment and 32 per cent under moderate risks. 12 per cent banks see such risks as low, while 4 per cent consider it as ‘very low,’ the research further found.
“Most banks have failed to establish IT security infrastructure and the central bank’s recent heist indicates that it has also failed to ensure cyber security,” Md. Mahbubur Rahman Alam, Associate Professor of BIBM, told the Daily Observer on Monday.
Pointing to the recurrent cyber attacks against financial institutions, he feared continuation of such sophisticated cyber attacks in near future. An absence of stern band effective cyber security regulatory norms has led to such cyber security problem, an issue ignored for years, Alam claimed.
However, since 1968 total investment in the banking IT sector up to 2015 was estimated at Tk 30,000 crore. A lion’s share of IT budget was used to procure hardware. But the budget for security, training and audit in banks was very poor in the last four years, the BIBM survey also found. An amount of 49 per cent IT budget went to the purchase of hardware in 2014, followed by 21 per cent for software and 20 per cent for networking purpose. The BIBM survey showed that only 4 per cent IT fund of the banks is spent for security purpose while 2 per cent fund is used for training purpose and the remaining 1 per cent for audit purpose.
On banks’ IT security and risks management condition, Mahbubur Rahman Alam said the condition in state-owned commercial banks is very weak. However, private commercial banks fared better in this regard, he said, describing foreign banks’ position as satisfactory.
Security awareness of both the bank customers and employees is a great concern, he said.
“Lack of long term vision, proper planning and initiatives, dearth of manpower, sufficient IT budget, weakness of business process reengineering, delay in procurement process and lack of advanced training are the main problems for the banks,” Alam pointed out.
As many as 88 per cent banks do not have documented and IT roadmap, he also said. Bangladesh Bank may take initiatives to develop an Information Sharing and Analysis Centre where all the members can discuss and share their opinions regarding various IT audit and IT security issues to mitigate the risks and make themselves aware of the latest security threats, Alam suggested.
On Bangladesh Bank reserve heist, he said the central bank should not have hidden the reserve stolen for a long time. “It should have been exposed to the members of the public when the investigation team detected the heist.”
Mustafizur Rahman, CPD Executive Director, told the Daily Observer: “Bangladesh now mulls introducing a wide scale mobile banking, internet banking and other online banking and financial transactions methods but it has not taken the cyber security issue seriously.” Human risks are a big problem for the financial institutions, said the CPD top official. Banks need to start proactively educating their employees and customers to prevent cyber threats. Banks should work on improving awareness of different threats, such as e-mail fraud and malware, Rahman suggested.
IT audit should be comprehensive, not based on sample, he said. Bangladesh Bank may increase the frequency of audit or monitoring to ensure a better banking information system, he suggested, insisting on stronger supervision and monitoring.
He also pointed out that the banking sector should have a centre for sharing electronic banking experiences, threads and frauds, problems and solutions. Bangladesh Bank with the help of BIBM and the forum of IT experts can take initiatives in this regard, Rahman added.