Bangladesh Journal of MIS, Vol.1, No.

2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

The Status and Threats of Information Security in the Banking Sector of Bangladesh: Policies Required
Muhammad Saifuddin Khan* Suborna Barua

Abstract
Information has been the greatest assets in this competitive age for any business. The success of financial institutions largely depends on the reputation in the market as these are fully service oriented institutions through protection of institutional and customer information. Especially for banks, to remain competitive and accelerate growth, adoption of new, up to date IT infrastructure is a must. Bangladesh, has witnessed a rapid expansion in the adoption of IT infrastructure with innovative tech-oriented financial products and services, and thus rapid growth in the banking industry with increased competition. Therefore, banking industry in Bangladesh is now considered as one of the fundamental industries. This paper tries to explore the state of information security, challenges in ensuring this, and suggests some policy options. The study finds that banking sector in Bangladesh are sufficiently vulnerable of different information security threats as they are already using many IT based platforms in regular business. Although almost every bank has its own ICT risk management guideline formulated by the Bangladesh Bank, yet these are not implemented with care in most cases. The sector perceives itself as vulnerable in terms of information insecurity due to varying nature of problems, and thus seeks for primarily government role to initiate a wide information security movement.

1. INTRODUCTION Organizational performance can be enhanced in sustainable way investing and utilizing in information resources. The same is true at individual level where corporations allow employees receive appropriate information in time (Chaffey & Wood, 2004). Adequate, accurate and appropriate, timely dissemination of information is possible only when corporations have efficient and effective information systems. Information systems must be aligned with organization goals and strategies to maintain, process and disseminate information that can be used for decision making by different stakeholders of the organization. Lack of a strong information system fundamentally increases the cost of organizations while trying to manage information in an unstructured, ad hoc ways (Petrides,
*

Muhammad Saifuddin Khan, Lecturer, Department of Finance, University of Dhaka, Dhaka-1000, Bangladesh. E-mail: msaifuddin_1@yahoo.com Suborna Barua, Lecturer, School of Business, United International University, Dhaka-1209, Bangladesh. E-mail: subornobarua@gmail.com *** Both authors have equally contributed to the article.

Electronic copy available at: http://ssrn.com/abstract=1569207

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

2004). And financial institutions are not an exception. One of the biggest challenges for a financial institution is the large bulk of customer and transaction information they preserve, and increasing networks everyday that enables the institutions to create innovative and useful services (Watanabe Y., and et al., 1998). Thus, a strong information system is far more crucial for banking institutions than others (Petroni, 2004). Inevitably, a dynamic management with its timely principles utilize the information technology and systems to promote new products and manage new business (Nagaoka, Ukai, and Takemura, 2006). It is extremely crucial because information security enables to gain competitive advantage, and creates new business opportunities (Horton. R. T and et al.). As a reference, in the U.S.A. the cost of credit card and different other chargeable cards fraud was around $985 million in 2000 burdened on both the customers and the companies (Kevin Coffee, 2003). Also internal flawed information security system also is considered as a big threat. In USA, National Institute of Standards and Technology (NIST) reported that faulty security systems cost the US economy $59.5 billion annually in the form of breakdowns and repairs (NIST, 2002).

Bangladesh is in such a condition where banks must remove any gap available in ensuring the information security. With a good number of local and foreign banks, Bangladesh a country with 150 million population, is experiencing in a rapidly expanding banking sector. Banks are widely introducing new products based on information technology to survive and remain competitive in the intensly competitive market. Therefore, the wide range of IT based financinal products available in Bangladesh certainly calls for efforts to understand the dynamics of required security of the information assets.

The study is divided mainly in six sections. Section one discusses the background information, section two illustrates the literature review, section three outlines the research objectives and methodology, section four presents the current scenario of the information technology based products and services along with the state of information security in Bangladesh banking sector. The fifth section discusses in detail the in depth analysis of survey and study findings, and finally section five identifies the challenges and solutions, recommendations and conclusions to the paper.

2. LITERATURE REVIEW

Electronic copy available at: http://ssrn.com/abstract=1569207

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

The worldwide Information Security market was worth $6.7 billion in 2000. With a Cumulative Annual Growth Rate (CAGR) of 25.5 percent, this market is projected to more than triple to $21 billion by the end of 2005 (Network Magazine, 2003). Information security is basically comprised of ensuring five key terms confidentiality, integrity, network security, application security, and host security (Usher A., 2006). Information security means administrative and technical actions to ensure that information can be accessed only by authorized persons, information cannot be changed by unauthorized persons and information systems are available to authorized persons (Finnish Act on the Protection of Privacy in Electronic Communications, Shkisen viestinnn tietosuojalaki, 16.6.2004/516) (Holappa J., et al., 2005).

In the UK, financial institutions perceives data breaches (any form of frauds/concealment) as a major reputational risk that would create a direct financial loss through regulatory fines, recovery costs and loss of business (Logica, 2008). In Australia, Consumers Telecommunication Network 2006 report stated that a vast majority of consumers have experienced many e-security threats despite using a range of security products. Banks generally uses digital security to maintain competitive advantage, build brand image, and meet statutory regulations (Rai, 2008).

An Atlanta ARMA meeting in May 20, 2008 shows the trends and observations on threats to information security in 7 broad categories that include: a) strong and enhanced hacking b) existing unfixed vulnerabilities, c) increasing number of strong malwares d) web browser exploitation by users, e) uncontrolled liberal use of wireless internet at the niche level, f) deliberate remote access connectivity via virtual private networks (VPN), and finally, and g) increased phishing leveraging readily available personal data and common file attachments. The danger of niche level massive wireless usage and remote access is that a single insider can cause extensive financial damage or irreparable damage to an organizations data, systems, business operations, or reputation (Keeney M, et al., 2005).

Usmani K. (2008) identifies the threats to information security in four broad categories: malware, attack through e-mail, spam associated threats, and phishing. Malware threats reduce system, network and workstation performance thereby employee performance. These

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

threats include stolen user ID and passwords, unauthorized access to confidential information, Loss of intellectual property, remote access of companys PC, and theft of customer data. Threats to email include loss of confidentiality, lack of data origin authentication, lack of non-repudiation, and lack of notification of receipt. The other category spam generated threats include dangerous viruses, worms, trojans, and spywar. The last category of security threat is phishing causing hacking of credit card information, system information, and account information. Apart from hacking this also includes use of lucrative email messages and web pages that provoke users into submitting personal, financial or password data.

These results also reconfirmed by a statistical study of internet security threats by James G. D. (2007) stating the rate of infections in 2006 in USA spam (75% with productivity loss of $21.6b per year), trojan viruses (31%), and spyware/malware (89%), phishing and hackers. In November 2006, the attempt rate of hacking and stealing information in UK banking brands was 11% while 75% of false banking sites targeted clients of US banks. (James G. D., 2007). Globally, the UK hosted 2% and US hosted 63% of phishing sites globally (RSA Stats, 2006).

Researchers and practitioners have examined the factors behind managing the information security critically. For different threats, they have shown different measures how to deal with the threats to information security. To protect the increasing threats, in the life, savings and investment, and pension sector, all the companies reported that their security budgets had increased significantly over the last one-to-three years, while two companies say that they will double security spending in 2008-09 (Logica, 2008). The Logica (2008) report also stated In the UK, the real cost of a data breach might be nearer the American level of 3.3 million ($6.3 million) per incident including the average cost of a data breach was more than 1.4 million in 28 data breaches across eight industry sectors of which financial services industry was 17 per cent higher. According to Usmani K. (2008) to fight malware; good user education, keeping the operating system up to date by installing operating system security fixes and program patches, using firewall protection, using anti-spyware softwares, using monitor logs for unusual traffic. For email security securing the server to client connections and the end-to-end email delivery is crucial, beware of emails from unknown parties (unsolicited emails), not to open suspicious attachments and spams, and avoid registering in 4

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

external mailing list. Usmani K. (2008) also suggested a must use of updated antivirus, anti Spyware, and spam filters to avid phishing. To ensure highest level of information security, the State Bank of India manages their information security based on six pillars security governance, consulting, compliance, incident control, monitoring, and security awareness for its stakeholders (Kishore. P., 2008).

It is important to note that the future is obviously will be harder as the information technology advances than what it is today, and will need very concentrated effort. Information security threats and attacks are becoming exponentially sophisticated, communicable, and threatening (The Business Edition, 2006). Libicki (2008) shows some ways how the future problems may be. According to Libicki (2008), use of learning system or neural nets may result in massive destruction if the base on which it works is wrong, and badly designed agents, servers cycling forever for an answer, mutually destructive server-toserver communication, or and malevolent agents looking for certain outgoing mail, fast growing hi tech hacking. Moreover vulnerable wireless security protocols, increasing attacks through cross-site scripting (XSS), cross-site request forgery (XSRF), generating malicious softwares that can bypass most (if not all) of the current signature-based antivirus products by hackers using simple commands, attacks through websurfing in corporations, and a possibility of fall in training budget (Strand J., 2009).

The Georgia Tech Information Security Centre (GTISC), on October 2, 2007, predicted for 2008 a number of cyber threats that may be dangerous for information security such as clientside attacks, and targeted messaging attacks. On the other hand another IBM's X Force report for security and trend statistics has evaluated the various classes of threats, including an in depth analysis of 410,000 new malware samples that shows that gaining unauthorised access (50%) followed by denial of service (13.8%), data manipulation (11.2%), obtaining information (9.3%), bypassing security (6.5%), gaining privileges (5.7%) and file manipulations (1.3%) are going to be the biggest information security challenges in the near future (Anand V., 2008). Other than the popularly known threats such as hijacking websites poisoning Domain Name System (DNS), difficulties in tracing parties storing and transferring data in complex and huge corporate network, extensive and liberal use of Social Networking Sites (SNS) may become a dangerous area for data privacy and security as the industry experts in UK commented (Heath N., 2009). 5

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

Usher A. (2006) identified traditional threats such as hacker activity, worms & viruses, spam, spyware, and phishing where network security strategies do nothing to protect against devices connected inside the enterprise network (widespread use of wireless technologies and secondary storage). For protection from the threats Usher A. (2006) suggested five points assessing technology environment regularly, adapting updated security policy, having a rigorous and effective user awareness plan, putting policies and procedures into action effectively, and finally assess effectiveness and revising policies if needed. Threats to information security are increasing day by day. These dynamics are changing and taking extremely difficult-to-prevent shape. Therefore, this generation information security wave is about Security Audit and Certification. This covers not just technology, but also people and processes. Enterprises will approach security from the attacker's end and safeguard against new risks like social engineering and dumpster diving.

3. RESEARCH OBJECTIVES AND METHODOLOGY

Financial institutions in the globe have many different forms for example central banks, commercial banks, securities brokers, and life insurance companies. Despite the increased and expanded networking, banks have to analyze transaction data for any given customer so that it can offer customers better personalized service (Watanabe Y., et al., 1998). Evidently, a study on nationalized banks of the Florida state empirically proves the positive role and contribution of information systems to a banks efficiency (Gupta U. G. and Collins W., 1997). The Federal Financial Institution Examination Centre and Federal Deposit Insurance Corporation have laid out different policies, regulations and guidelines to ensure secured information system in Banks. The rapid expansion and global reach of financial institutions, especially who offer products and services to clients worldwide online are in greater danger. Evidently, the National Criminal Intelligence Service has shown an exponential growth of computer crime in the United Kingdom (NCIS, 1999). Thus an integrated system for finance, management, marketing and other functional areas have to be built in financial institutions.

Realizing the need for study in this area, the objectives of the proposed study are framed in the following terms in the context of Bangladesh:

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

(i) To identify the different dynamics, quality and areas of use of information techonology in the banks. (ii) To Identify and investigate problems relating to information security and threat in the banking sector. (iii)To identify critical success factors for effective information security with particular reference to the banking sector. (iv) To discuss the future of information security and threat in the banking sector, with the growing consciousness of information security.

METHODOLOGY The study uses both primary and secondary data. Secondary data has been obtained from different online and physical sources. The major strength of the study is the primary data it has used. A four page questionnaire with 40 questions has been used to accumulate primary data. The questionnaire was sent to a total of 15 banks but 11 of them responded. The study is designed and enriched in detail analysis of all the data and information acquired from the filled in questionnaire of the 11 banks. This list of 11 banks is shown in Appendix-4 of this study. The study is divided mainly in three sections. Section one discusses the preliminary issues, literature review and background information, section two details the state of information security and the in depth analysis of survey findings, and finally section three identifies the challenges and solution approaches in ensuring information security in Bangladesh followed by a concluding paragraph.

4. IT BASED PRODUCTS AND SERVICES IN BANGLADESH BANKING SECTOR

Although many banks in Bangladesh are providing electronic services to their customers the level of involvement of electronic methods is yet to be in full fledge in delivering and managing the business. Because they offer some of the functionalities of the complete electronic banking like intra-bank transactions, Letter of Credit (LC) and foreign exchange etc. In case of inter-bank transactions, central bank authority handles the procedure. Banks as well as employees are benefited implementing information technology in Bank because this system has some advantages over traditional system. Advantages are as follows: faster information handling and processing, to accomplish audit, government officials need to go to every bank. After IT implementation they do not need to go to banks rather they can collect 7

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

the same information through network and audit report can be generated within few minutes. In traditional system it is time dependent to transfer money from city to remote area and also a matter of some investment. During the transfer time the money is idle so its a great loss for the bank as well as customers. Electronic system can be used to transfer money within a few seconds (Intra-bank).

INFORMATION SECURITY IN BANGLADESH Bangladesh has realized that information security is an important business accelerator. For example, the policy makers feel it as an urgent need to develop a cyber crime legislation that will ensure cyber security or information security through internet. Policy makers of the country are currently in the process of including privacy policies, trust marks and other selfregulatory measures for the development of products and provision of services and the implementation of the necessary measures for establishing consumer confidence more importantly in the banking sector. Survey shows that only 11% of banks have inter-branch connectivity through CT network (WAN). Some 70% of solution providers for WAN are of local origin. At the head office level some 95% of banks use banking software. Currently around 24 types of banking software are available in banks (Raihan, 2001).

INFORMATION INSECURITIES AND THREATS IN BANGLADESHI BANKS As almost all the Banking service providers thinks that certain information is at risk, 66% Banks have access control over customer information system and 95% have a physical security program which defines and restricts access to information assets as well as protects against destruction, loss or damage of customer information. As a result 95% Banks strategic planning process incorporate information security, 80% of those have employee security awareness training program and possess policies/procedures for the proper disposal of customer and consumer information. Again survey shows that 75% Banks in this industry are serving as a merchant issuer for credit card activity, all of those hold written policies/procedures that address approval/termination, underwriting, fraud and credit monitoring, password tracking, security of credit card information. They also possess wire transfer policies/procedures which address responsibilities and authorizations, separation of duties, funds availability/credit limits, information security, business continuity plans, insurance protections and vendor management. 8

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

Because of highly competitive market environment training up of employees within the organizations is inevitable for long run sustainability and profitability now days. For keeping the employees up-to-date banking services providers arranges various training programs. In case of providing training 66% of them hire trainers from out side. Both On the Job Training (learing by doing as an employee while in a job) and Off the Job Training (training from formal training instiutites) are commonly in practice. A few (20%) have their own trainers. In case of providing training, Bangladesh Institute of Bank Management (BIBM) & Bangladesh University of Engineering and Technology (BUET) has been playing the pioneer role. Though providing training to the employees depend upon need for technology implementation raised by the situation, the Bank Ultimus, PC banking training courses, Basic trainings on Stayler, Trainings on Money-Gram System, and Trainings on Tair-Drill etc. are common among organizations.

Trojan virus, Spy ware/malware, Spam, Hacking and stealing information, Dishonest insider, Phishing, Worms, Web browser exploitation by users, Deliberate remote access connectivity, stolen user ID and Password, Modification of data etc. these are now the most common name in the world of online threat. In Bangladesh more or less they had already introduced their enough vulnerability to Banking Industry. Some 40% of the Banking service providers are aware enough about Trojan virus and Spam because they have to face it with a very high frequency along with a low intensity of information losses by them. But the amount of recovery is very high. Another 40% are frequently facing spy ware/malware but in such case 20% of these victims face it with high frequency causing a very low intensity of information loss and rest other victims faces it with a rare frequency. Other online threats are rarely faced with a very low level of information loosing intensity.

IT PLATFORMS USED The rapid development and inclusion of information technology has both aided the development of the banking industry in Bangladesh and also has created riskier environment for information pass away in Bangladesh. The rapid advancement in IT tools have given the banking system in Bangladesh an accelerated pace in service expansion and product diversification with higher quality. As the sector is yet to get the maximum utilization of the state of the art technology, banks are rapidly applying available and suitable tools to increase 9

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

their power in the highly competitive environment. The survey conducted for this study explores the different dynamics of the practicing technology and thereby preparedness to ensure information security in the banking sector of Bangladesh. The major IT platforms used by around 90% banks in Bangladesh are detailed below:

Automatic Teller Machine (ATM): All surveyed banks have own or shared ATM networks where ATM services are widely available for more than 70 percent of the banks operating in Bangladesh. Dutch Bangla Bank Limited has leverage of the largest ATM networks of more than 200 ATM booths throughout the countrys almost every part. As on October 2007, Bangladesh has 438 ATMs (Daily Star, 2008), 10,526 POS, 7.7 lakh debit and 30,000 credit cards issued by all banks in the country. The volume of transaction using ATMs has increased substantially during the last few years due to the availability of booths and the benefit of non-cash money.

Online Banking: Online banking allows bank transactions to be conducted within closed or open networks. Online banking is considered to be a segment of e-business to the extent that banks are involved in the conduct of business transactions via electronic media especially through internet. Currently full fledged online banking service is offered by top banks in Bangladesh including Standard Chartered Bank, Eastern Bank, Dutch Bangla Bank Limited, Southeast Bank Limited. Services in online banking in Bangladesh include online balance checking, instruction delivery, account monitoring etc. While conducting study on the online banking, we observed that only eight private commercial banks started truly online banking but no nationalized banks yet to introduce online banking in a sense. All the Foreign commercial banks are operating their banking through online procedures. It has been noticed that almost fifty percent of the private commercial banks started computerized banking which actually do not serve the purpose of online banking.

Virtual Private Network: Almost 50% of the surveyed banks have virtual private network in the form of wireless intranet intra organization networking. Using the intranet employees inside the banks exchange data and information with each other. In major cases banks have no restriction or control on employees in sharing information inside the organization though intranet.

10

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

Wide Area Network or Local Area Network (WAN or LAN): Some 95% banks reportedly have either WAN or LAN or both. In most cases, banks in Bangladesh have LAN which is created inside the organization that is accessible from different branches in different locations within the city. The nature is similar to MAN or Metropolitan Area Network.

Network Server: A network server is a mass storage or a designated computer used to the process of storing, delivering, managing data for the users over a local area network or the internet. Such as Web servers, proxy servers, and FTP servers. In over all sequence a network server is designed to manage network traffic. Almost every banking institution of Bangladesh has its own network server, where as every authorized employees has access in that network server. They have specific server space, names and IDs. They generally use this space for storing data, financial analysis and backing up account information.

Wireless networking: Networking without wire is very popular in Bangladesh. Wireless network is one of the common mean of Remote Information Transmission (RIT) through telecommunications network, electromagnetic wave and mostly by radio wave. In previous period the top most telecommunication companies only have the authority to use and provide wireless internet opportunities to the customers. But now institutions like banks or Multinational Companies (MNCs) have the authority to serve these opportunities to the customers and use in internal operations. Bluetooth devices, WLAN, WiFi, WiMAX and Fixed Wireless Data are some of the best used means of wireless network.

Modem or modem pool: A modem is a kind of device which transfers digital data through analog wave. In recent age people almost use motherboard with inboard modem under builtin technology. Corporate companies like banking institutions have a great use of modem under a host server. They are pooling their modem through 56 to 128 kbps speed. In order to ensure rapid expansion of services and accelerated increase in internet penetration much and more people are getting opportunities to use modem and modem pools.

Portable devices (PDAs, Laptops, Cell phone etc.) : Potable devices are the powerful devices of data transformation which is easy to carry out .The banking institutions have a standard security protocols in using the portable devices in the office. The use of PDAs,

11

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

laptops and cell phone are seen greatly in these institutions. Almost every middle and top class executives are using portable devices frequently with the permission of their institution.

5. CRITICAL FINDINGS AND ANALYSIS

The information security survey on Bangladesh banking sector and detail examination on this sectors information security concerns have yielded the following critical findings.

5.1 Level of Use and Access of IT Platforms Apart from the traditional manual banking products, a broad spectrum of electronic banking services is available in Bangladesh with different degree of penetration. Credit card service is provided by 23.1 percent of banks (PCBs and FCBs). As the survey result shows, the credit card service is from VISA, MasterCard and VANIK are more popular and expanding. Table-1: Available IT Based Products of Banks Product Name Credit card service Tele-banking Electronic fund transfer Online corporate banking Electronic debit card Merchant account services and internet banking % of Banks offering 23.1% 19.2% 15.4% 7.7% 3.8% 7.6%

Source: Information Security Survey on Bangladeshi Banks, 2009

Tele-banking is second most penetrated e-banking service in Bangladesh. ATM is gradually becoming popular in major cities. Some foreign banks provide electronic fund transfer services. A group of local banks have introduced shared ATM network which has increased availability of this type of electronic banking service. At present 7 (seven) private and foreign banks namely Southeast Bank Ltd, Dhaka Bank Ltd, Al-Baraka Bank (Bangladesh) Ltd., National Bank Ltd., Islami Bank Bangladesh Ltd., and National Credit and Commerce Bank Limited are providing full fledged internet and online banking facilities. The Network will gradually be extended through out the country. Credit card is also a very popular service in Bangladesh; during last five years the growth of credit card market is almost 100 percent.

Table-2 illustrates the percentages of the above features on the basis of their level of access within the regular working environment of Banks in Bangladesh. According to the use of these features by both internal and external parties, internal parties enjoy 100% access to 12

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

these facilities where external parties possess almost 80% access. Table-2 illustrates the level of access of both of these parties to these facilities. Table-2: Level of Access and Use of these features by both of the parties (%) Level of use by External Parties out of 80% access Very High Low High 40 33 66 66 37 33 66 70 30 Level of use by Internal Parties out of 100% access Very High Low High 33 33 66 75 20 80 80 80 60 40 -

Features (Level of Use) ATM Online banking Network server Phone banking Wireless network: LAN WAN Modem of modem pools Security devices

Source: Information Security Survey on Bangladeshi Banks, 2009

Information of the bank is kept much secured by providing a limited access to the employee according to their positions and also according to the requirement of business policies. Without proper authorization employees are not allowed to use any kind of flash drives or any kind of mass storage devices. Generally employees are allowed to check mails only for visualization of their instructions or understanding the situation. They can not edit or use it for any other means. Even employees have strict restrictions on using their provided PCs. They are not expected to move any where without shutting it down, but accidentally if some one, by the built-in-system the PC will shutdown itself within 3 minutes. And the person responsible will have to go through a penalization procedure. In many cases, the unauthorized 100% access to all the platforms by dishonest insiders also may cause a great loss, and thus expose the organizations to greater degree of risk. Therefore, from that perspective the 80% access level by externals also seems to be pretty high. These all are because there are a clearly stated policies, procedures and guidelines for securing, maintaining and monitoring the system in ones own IT environment. Table-3 in the policy section illustrates the percentages of Banks written policies, procedures and guidelines for securing, maintaining and monitoring the following system or platform under their own Information Security Program.

13

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

5.2 Quality of Technology Used in Information Management

This is obvious that the quality of the technology used to manage and protect the information is a very important aspect. This is because an underdeveloped or old aged technology may case severe cost financially or any other way when banks face large physical damage of hardwares (such as storage devices, machine breakdown or inability to create data and information backup). Poor quality technology also creates vulnerability as it may not prevent unauthorised access and sharing of information because of its incompatibility with updated security protection tools. Interesting findings were there regarding the quality of technologies used by the banks while working with different identified platforms. Table-3 illustrates the findings form the survey.

Table-3: Quality of Technology Used Available Features

ATM Online banking Virtual Private Network Network server Wireless network: LAN WAN Modem or modem pools Security devices Other remote access connectivity Portable devices

(%) Very High

20 40 40 66 95 5 85 40 60 66

(%) High
40 60 40 20 95 15 50 30 34

(%)Low
40 40 20 14 5 10 10 -

Source: Information Security Survey on Bangladeshi Banks, 2009

The quality of technologies is alarming in case of ATMs which are widely and popularly used by daily customers. Even though this has been on of the very important tool to remain competitive in customer service delivery, only 20% of the banks have reported that they use very recent, high end technology in providing ATM services. Some 40% were reported their technology used in ATM services as low. This is quite an important indication that ATMs as serves as information storage, processing, and transferring, any damage to the low end or low quality technology may cause in severe damage in goodwill and thus significant loss in business. The highest quality is used in Wide Area Networking and Local Area Networking that allows the employees to access, share and transfer data and information through wireless and wired technology respective. This finding substantially validates the faster deliver techoriented products and services by the Bangladeshi banks. Another major observation is the 14

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

use of high end technology in monitoring and controlling data transfer that protects the information to be secured. Some 90% of the banks use at least high end secured technology posing the rest 10% banks into risk of unauthorized data and information transfer beyond the poor security technology.

5.3 Risk Analysis Survey tried to find out the perceived degree of risk form the responding banks. Some 34% banks perceive the current situation of information security is not enough to prevent any virtual or physical damage of information management system. Therefore, around 60% of the surveyed banks believe they are in high or very high degree of risk of information loss at any moment. Reasons to this perception despite having ICT policy in every bank were interesting. Table-5: Degree of Information Security Risk Perceived by Banks Degree of Perceived Risk Very High High Moderate Low Very Low % of All Banks 34% 26% 17% 19% 4%

Source: Information Security Survey on Bangladeshi Banks, 2009

Table-6: Why Banks Perceive Riskier Information Environment Reasons for Perceived Risk Lack of adequate knowledge Lack of Training Do not have quick response ability Not Updated with the high end solutions regularly (time lag exists) % of All Banks 47% 76% 49% 24%

Source: Information Security Survey on Bangladeshi Banks, 2009

The major causes found why the banks feel themselves posed to greater degree of risk are shown in Table-6. Essentially proved that the employees in banks are almost in all cases do not have proper training on the importance and process of securing information. Lack of training initiatives, resource persons, under prioritizing the training need are causing banks not to train their manpower. This also leads to lack of adequate knowledge on information security management that has been responded by 47% banks as a cause of their perceived risk. The top management or the directors are also in many cases observed not to be aware of the issue. The inadequate resource availability and prepared is essentially making banks stagnant and thus not prepared to respond instantly to any sudden damage takes place. Some 15

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

49% banks think this as a major reason for their perceived risk. And the other major reason is the irregular and infrequent update to the up to date technology, software, and information security threats (24%). This is also due to probably the under-prioritizing the issue of need for better information technology.

5.4 Policies Used By Banks in Bangladesh The banking industry has changed in the way they provide service to their customers and process information in recent years. Information Technology has brought about this momentous transformation. IT Management must ensure that the IT functions are efficiently and effectively managed. They should be aware of the capabilities of IT and be able to appreciate and recognize opportunities and the risk of possible abuses. They have to ensure maintenance of appropriate systems documentations, particularly for systems, which support financial reporting. They have to participate in IT planning to ensure that resources are allocated consistent with business objectives. They have to ensure that sufficient properly qualified technical staff is employed so that continuance of the IT operation area is unlikely to be seriously at risk at all times. IT Management deals with IT policy documentation, Internal IT Audit, Training and Insurance. There is a specific guideline detailed by the Bangladesh Bank which every bank follows. Therefore the banking industry has developed own information management policies based on the given guideline.

Table-4: % of Banks Having Policies Regarding Information Sharing Platforms Systems or platforms covered by the policy ATM Network server Online banking Virtual private network Payment system (including ware transfer and ACH) Portable devices such as PDAs, laptops, cell phones etc Remote deposit capture Wireless network Modems or modem pools Security devices such as firewall(s) and proxy devices No. of Banks possess such policies 80% 73% 71% 77% 63% 55% 41% 47% 57% 44%

Source: Information Security Survey on Bangladeshi Banks, 2009

Statistics in Table-4 shows quite a good status. Banks having different IT platforms for information processing, sharing, and transferring have separate written policy documents. 16

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

Some 70% to 80% of the surveyed banks have documents that guide the use of the ATM, online banking facility, network server, and virtual private networks. This is a very good sign because apart form the ATM, all other platforms are very important channels of information access, sharing, and transferring. Therefore, having documents to shape the use of these platforms certainly prevents unauthorized access at least to a minimum degree. But

alarmingly, more than 50% of the banks are using wireless network, firewall and proxy security tools, and remote access without any written policy guideline or code of use that poses these banks to extreme degree of risk. It is because all of these platforms in this current age are considered as the most likely channel through which people can try to have unauthorized information access and sharing.

Bangladesh Bank on October, 2005 outlined a common ICT risk management guideline titled Guideline on Information & Communication Technology for Scheduled Banks and Financial Institutions to ensure security of information and information systems that covers all electronically generated, received, stored, printed, scanned, and typed information, and has been made mandatory for all banks and non-banking financial institutions. The guideline is formulated presenting the minimum preparation of the institutions regarding all activities and operations required to ensure data security including facility design, physical security, network security, disaster recovery and business continuity planning, use of hardware and software, data disposal, and protection of copyrights and other intellectual property rights. The guideline clearly outlines the policies for IT Operation Management, Physical Security (Tier-1, Tier-2, Tier-3), Information Security Standard and Service Provider Management.

5.5 Government Regulations on Information Security

Every bank having IT systems must have an IT POLICY which must fully comply with this IT Guideline and be approved by the Board of the bank. For foreign banks the document must also be in conformity with their global policy document. This document will provide the policy for Information & Communication Technology and ensures its secured use for the banks. It establishes general requirements and responsibilities for protecting ICT systems. The policy covers such common technologies such as computers & peripherals, data and network, web system, and other specialized IT resources. The banks delivery of services

17

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

depends on availability, reliability and integrity of its information technology system. Therefore each bank must adopt appropriate methods to protect its technology system. The policy will require regular updates to cope with the evolving changes in the IT environment both within the bank and overall industry. The senior management of the bank must express a commitment to IT security by continuously upgrading awareness and ensuring training of the banks staff.

The Bangladeshi government is working to make a law to check computer hacking in the country with punishment of 10 years prison term or fine of 1 million taka (14, 300 U.S. dollars) or both to the hackers. The law named "Ministry of Information and Communication Technology Act 2006" will have provisions of establishing cyber- tribunal. Under the law, those who give obscene information or do things which are defamatory to others, disclose secrets through computer will also be punished. The law will have provisions against committing crime using computers.

5.6 Challenges in Ensuring Information Security

The problem is that Nationalized Commercial Banks (NCBs) are the unique market player with more than 50 percent of market share, so ICT penetration is more crucial for this category of banks. Some midrange and mainframe computer systems are available in the banking sector. Some 95 percent of the surveyed banks in have Management Information Systems. But only 38 percent MIS are integrated to the Transaction Processing System (TPS). Moreover, the absence of adequate physical resources (e.g. computer hardware and software) and weakness in course contents in the training institution will adversely affect the quality of output from the institutions (Chowdhury, 2001). Table-7: Challenges to Ensure Better Information Security Challenges Lack of adequate knowledge Lack of Proper Training Do not have quick response ability Lack of Active Government Responses to the need Not Updated with the high end solutions regularly (time lag exists) Human Resource Constraint % of All Banks 67% 56% 55% 44% 17% 7%

Source: Information Security Survey on Bangladeshi Banks, 2009

18

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

The survey findings on major challenges identified by the institutions are detailed below:

Lack of adequate knowledge: As explained in the earlier sections the top management and the employees at different levels in the banks are not really aware on the danger and importance of addressing the issue. Therefore, in many banks, as opined by the bank respondents, the issue of information security is not taken into consideration as prioritized. Therefore, this creates opportunity for the dishonest people or hackers pass out information at any moment due to the lack of awareness. Some 67% of the banks have agreed on this point.

Lack of Training: Employees even in many cases the top management of the banks are not equipped with adequate and up to date training on making secured environment for information management. Some 56% banks feel that they have no or insufficient training for all employees. Therefore, the strategic importance of information security is once again undermined by the employees at all level in the banks and thus deliberately or unknowingly creates opportunities for information loss through information loss or physical damage. Lack of specialized training centers is also a pivotal cause behind this.

No Adequate Preparedness: Adequate preparedness at the time of accident or damage enables banks to recover the information, business or financial losses. But unfortunately some 55% of the banks believe they are not prepared enough and thus ensuring a better secured environment to manage and contain information has become very risky.

Under-prioritization by the Government: Bangladesh as a developing country is encountered with hundreds of problems she is facing every day. Information security has been treated not as a priority issue yet that may create a strong and secured environment for information management very immediately although some recent developments have been observed. Some 44% banks believe this as a major challenge as the development of such an environment must be ruled and initiated through the national and international experts by the government

Not Updating Security System Regularly: Some 17% banks believe that banking sector in Bangladesh is yet to have pace in regular updating the software and up to date security tools such as antivirus, firewall, proxy settings to prevent Malware, spyware, Trojans etc. There are 19

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

many banks which do not spend much time and pay less attention in updating their hardware and software. This is also another proof of under-prioritizing the issue.

Human Resource Constraint: Some 7% banks believe that there are not much expert human resources in the country who can supervise the whole industry in creating an enabling environment in the banks to secure information. Lack of national expertise or consultation is creating drawbacks in the process of developing a knowledge base and the infrastructure on information security.

6. CONCLUSION AND RECOMMENDATION

Table 8 below lists the major suggestions accumulated from the surveyed banks on the issue of how to create a better environment to protect information.

Table -8: Suggestions to Ensure Better Information Security Challenges to Ensure Better Information Security Active Government Initiative Putting Priority Making Training Programs Mandatory Central Monitoring by the Central Bank Establishing Specialized Training Centers Creating Awareness on Information Security % of All Banks 83% 58% 54% 46% 41%

Source: Information Security Survey on Bangladeshi Banks, 2009

Active Role of Government: In developing the information security infrastructure, government should play the leading role as much as 83% of the respondents believe. Government should facilitate and impose if necessary, conditions to develop this infrastructure through the Ministry of Finance, and Bangladesh Bank. Therefore strategic priority should be given to this issue by the government while developing development programs.

Mandatory In-house or Outsourced Training Programs: Some 58% banks opined that Bangladesh Bank the central bank of Bangladesh must make the in-house or outsourcing of training for all employees of every bank. This policy direction would make the banks more proactive in creating conscious human resource pool that would contribute in preventing unauthorized access to information. 20

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

Central Monitoring by the Bangladesh Bank: Bangladesh Bank as the facilitator and monitor of the whole banking industry should have separate monitoring and supervision division dedicated to monitor the information flow and preparedness of banks in mitigating information insecurity. Some 54% respondents believe this would help the whole industry to be more efficient in information management. This would require the Bangladesh Bank develop its own strong and up to date infrastructure. The Bangladesh Bank also should oversee that ICT policy proposed by itself is implemented effectively.

Establishing Specialized Training Centres: As information management and ensuring information security requires some degree of technical and ethical education, it is necessary to establish specialized training houses on this issue (46%). Moreover, banks also must have a separate training division or regular training programs to train their fresh employees. Banks which already have training centres or divisions may include the information security issues in the course curriculum.

Creating Awareness on Information Security: A very important strategy is creating awareness (suggested by 41% of the surveyed banks). This is especially important since protection of information requires a highly ethical environment. To create awareness, awareness programs can be introduced regularly or occasionally nationwide by banks individually or by the Bangladesh Association of Bankers or the Government itself.

Apart form the survey findings; the study identifies some very important points that might serve as valuable starting points for ensuring information security.

Integrated Efforts of Associations: Alike NASSCOM in India, Bangladesh has two associations that deal and facilitate the information technology sector of Bangladesh Bangladesh Association of Software and Information Services (BASIS) and Bangladesh Computer Society (BCS). This is evident that NASSCOM has been excellently facilitating the skill development offering a number of programs and also helping the government to reduce the information security vulnerability. Specifically for the banking industry, BASIS and BCS should work together with the government of Bangladesh to update regularly the ICT policy, provide regular training to the old and fresh employees within the organization, 21

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

establish large scale and nationwide central training and monitoring centres, facilitate banks with adequate expertise etc.

Making Mandatory Compliance with International Standards: The Bangladesh Bank may require every bank in the industry to comply with the international information security laws and standards such as BS 7799 or ISO 17799. Not only ensuring the compliance Bangladesh Bank must have to regularly oversee whether any update in the international standards are complied immediately in effect.

Making Use of Licensed Products Mandatory: As a developing country, Bangladesh many corporations are still using unauthorised, pirated software products that are not licensed that create a great risk of losing information or data (at least if a software becomes inoperative or corrupt suddenly). The piracy prevention programs must have seriously conducted to identify such practices.

Survey of Information Security Status: Regulatory authorities in Bangladesh should be conducting surveys on practices and challenges on the banking industry to understand the quality of the information security policies. Bangladesh Bank in coordination with BASIS or BCS may help every bank to develop internal comprehensive information security guideline.

Concentration of IT Education: There are 15 science and technology universities in Bangladesh producing thousands of IT graduates every year. This has been observed that the best graduates usually leave Bangladesh as there is less number of very good opportunities. Information security infrastructure can create an excellent platform for these graduates for a very good career. Moreover, around 50 percent of these universities are not really producing graduates of international standards. Therefore, two things the Bangladesh government should ensure as China has done: incorporating a comprehensive updated coursework in the curriculum of IT education, and then creating a national information security platform to accommodate these graduates.

The corporate sector of Bangladesh has not yet felt the pinch of information security vulnerability much. Every industry in the country is still rising and therefore their strength and resources are also still developing. There are some industries such as the Banking, Non22

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

Banking Financial Institutions, Telecommunication etc. which deal with millions of customer and institutional information everyday. Especially the performance and reputation of banks are largely sensitive to the information security. Some banks have already faced some security threats and thus have born a good amount financial and reputation loss (such as National Bank Limited). Lack of awareness, training of employees, unavailability of proper expertise, guidelines and consultation has resulted in such loss. But the situation as expected the respondents of the survey may deteriorate in the coming days. Banking sector in Bangladesh has been rapidly expanding. Therefore there is a sheer need and importance of information security. The study shows that banks in Bangladesh have different platforms of information processing, sharing, and transferring. Many of these banks are facing physical and online information damages regularly. Although many banks have their own ICT risk management policy, lack of proper implementation of the policy is exposing more banks to greater degree of insecurity of their institutional information, and also the information of huge number of customers. The sensitivity of the issue is always quite high. Therefore, the government and the Bangladesh Bank should take the lead in paving the way for ensuring information security. As a banks success largely depends on its reputation in this competitive age, an unprecedented event may lead to huge business loss. Therefore, the banking industry as a whole should be aware enough to accommodate the issue of information security in its own strategic policies.

23

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

REFERENCES
(i) Anand, V., 2008, Future Security Threats Outlook, PC Quest, Available at: http://www.iss.net/xforce_report_http://pcquest.ciol.com/2008/images/2008/index.html, April 05. (ii) Chaffey. D and Wood. S., 2005 Business Information Management: Improving Performance Using Information Systems, First Edition, Prentice Hall. (iii) Chowdhury, J. R., 2001, Information Technology in Bangladesh Observer Magazine, June 1, Bangladesh (iv) Coffey, K., 2003, Crooks Who Use Your ATM Card As A Passport To Your Account, Available at: http://kevincoffey.com/money/atm_debit_card_fraud_information.htm (v) Corbin. T., 2008, Letter sent to E-security Review Team, Attorney-Generals Department, Consumers' Telecommunications Network, October 18. Available from:http://www.ctn.org.au/content.cfm?Live=0&ContentType=Content&Content ID=388 (vi) Federal Bureau of Investigation, April 3, 2003, Testimony by James E. Farnan, Deputy Assistant Director, Cyber Division, Federal Bureau of Investigation, before the House Financial Services Committee, Subcommittees on Financial Institutions and Consumer Credit, and Oversight and Investigations, published on FBI website, Available from: http://financialservices.house.gov/media/pdf/040303jf.pdf. (vii) Financial Services Authority, November, 2004, Countering Financial Crime Risks in Information Security, Financial Crime Sector Report. (viii) Georgia Tech Information Security Center, 2007, Emerging Cyber Threats Report for 2008, Leading technology experts share thoughts on top emerging Internet threats for 2008, October 2, Available from: www.gtisc.gatech.edu/pdf/GTISC%20Cyber%20Threats%20Report.pdf (ix) Gupta, G. U. and Collins, W., 1997, The impact of information systems on the efficiency of banks: an empirical investigation, Journal of Industrial Management & Data Systems, Volume 97, Issue 1, Page 10 16. (x) Heath, N., 2009, The five biggest security threats facing businesses today: From the poison pharms to the cloud's evil lining, February 04, Available from: 24

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

http://www.silicon.com/research/specialreports/future-proofing/the-five-biggestsecurity-threats-facing-businesses-today-39376850.htm (xi) Holappa, J., Ahonen, P., Eronen, J., Kajava, J., Kaksonen, T., Karjalainen, K., Pekka, J., Koivisto, Kuusela, E., Ville, Ollikainen, Rapeli, M., Sademies, A. & Savola, R.,2005, Information Security Threats and Solutions in Digital Television: The Service Developer's Perspective, VTT Electronics Research Notes 2306. (xii) James, G. D., 2007, Statistical Analysis of Internet Security Threats, March 25, Available from: http://www.infosecwriters.com/text_resources/pdf/Statistical_Analysis_Internet_ DJames.pdf (xiii) Joiner, B. ,2008, Information Security Update: Threats & Opportunities, Presented at the Atlanta ARMA Meeting, Federal Reserve Bank of Atlanta (xiv) Keeney, M., Kowalski, E. National Threat Assessment Center, United States Secret Service of Washington DC and Cappelli, D., Moore, A., Shimeall, T., Rogers, S. of CERT Program, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA, May 2005, Insider Threat Study: Computer System Sabotage in Critical Infrastructure Sectors, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA. (xv) Kishore, P. , 2008, Experience in Implementing Security Measures at SBI A Case Study, The State Bank of India. (xvi) Kun M. L., 2004, Emerging Technologies and Innovation in Banking: Drivers for Growth, Gartner Inc., Miami. (xvii) Laudon.J. and Laudon. K. Management Information Systems- Managing the digital firms, 8th Edition, 2004-2005, Prentice Hall of India Private Ltd. (xviii) Libicki, M., 2002, The future of information security, Institute for National Strategic Studies, Washington, D.C. (xix) Libicki, M., 2008, The Future of Information Security, Available from: http://www.fas.org/irp/threat/cyber/docs/infosec.htm (xx) Logica, 2008, Information security in the UK life, savings & investment and pensions sector: A Logica snapshot survey, May 20.

(xxi) Merkow,M & Brelthaupt, J., Information Security Principles and Practices

25

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

(xxii) Nagaoka, H., Ukai, Y.

and

Takemura, T., 2006, Economic Analysis of

Information System Investment in Banking Industry: Chapter-Information System Strategy of Nationwide Banks, Springer Tokyo, Pages 29-52 (xxiii) Network Magazine, 2003, Information Security: A new approach, Cover StoryApril. (xxiv) Norn G, 2006, India and China from an Information Security Perspective, Confederation of Swedish Enterprise. (xxv) Petroni, A., 1999, Managing information systems contingencies in banks: a case study, Journal on Disaster Prevention and Management, Volume: 8, Issue: 2, Page: 101 110. (xxvi) Pterides,L.A., 2004, knowledge Management, Information Systems, and Organizations, Institute for the Study of Knowledge Management in Education, Educause Centre for Applied Research, Colorado. (xxvii) Rai, A., 2008, Keeping A Digital Vigil, Available from:

http://www.livemint.com/articles/2008/07/27220545/Keeping-a-digital-vigil.html, July 28. (xxviii)Raihan, A., 2001, Computerization and IT in the Banking Sector of Bangladesh: Hindrances and Remedies. A paper presented in the National Seminar organized by BIBM, June 09, Bangladesh (xxix) Smith, N. G. and Oppenheim, C., 1994, The role of information systems and technology (IS/IT) in investment banks, Journal of Information Science, Vol. 20, No. 5, 323-333. (xxx) Smullen, J., 1995, Financial management information and analysis for retail banks, Woodhead Publishing Limited, October. (xxxi) Strand, J., 2009, Future security threats: Enterprise attacks of 2009, Jan 12, http://www.searchsecurityasia.com/content/future-security-threats-enterpriseattacks-2009. (xxxii) Usher, A., 2006, Essential Strategies for Protecting Against the New Wave Of Information Security Threats, Sharp Ideas LLC. (xxxiii)Usmani,K.,2008, Information Security Threats and Measures, (CERT-MU)National Computer Board, Workshop on the adoption of Information Security Standards, Ebene Cyber Tower Conference Hall, Available from:

26

Bangladesh Journal of MIS, Vol.1, No.2, June 2009, ISSN: 2073-9737, Department of Management Information Systems, University of Dhaka

http://www.gov.mu/portal/sites/cert/files/presentations/Information%20Security% 20Threats1.pdf (xxxiv) Watanabe, Y., Mizuno, Y., Yamada, K. and Inoue, S., 1998, New Financial Information System for the Network Computing Era, Hitachi Review Vol. 47, No. 6.

27