Professional Documents
Culture Documents
discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/228296622
CITATIONS
READS
896
2 authors:
Muhammad Saifuddin Khan
Suborna Barua
University of Dhaka
University of Dhaka
4 PUBLICATIONS 4 CITATIONS
8 PUBLICATIONS 13 CITATIONS
SEE PROFILE
SEE PROFILE
Abstract
Information has been the greatest assets in this competitive age for any business. The
success of financial institutions largely depends on the reputation in the market as these
are fully service oriented institutions through protection of institutional and customer
information. Especially for banks, to remain competitive and accelerate growth,
adoption of new, up to date IT infrastructure is a must. Bangladesh, has witnessed a
rapid expansion in the adoption of IT infrastructure with innovative tech-oriented
financial products and services, and thus rapid growth in the banking industry with
increased competition. Therefore, banking industry in Bangladesh is now considered as
one of the fundamental industries. This paper tries to explore the state of information
security, challenges in ensuring this, and suggests some policy options. The study finds
that banking sector in Bangladesh are sufficiently vulnerable of different information
security threats as they are already using many IT based platforms in regular business.
Although almost every bank has its own ICT risk management guideline formulated by
the Bangladesh Bank, yet these are not implemented with care in most cases. The
sector perceives itself as vulnerable in terms of information insecurity due to varying
nature of problems, and thus seeks for primarily government role to initiate a wide
information security movement.
1. INTRODUCTION
Organizational performance can be enhanced in sustainable way investing and utilizing in
information resources. The same is true at individual level where corporations allow
employees receive appropriate information in time (Chaffey & Wood, 2004). Adequate,
accurate and appropriate, timely dissemination of information is possible only when
corporations have efficient and effective information systems. Information systems must be
aligned with organization goals and strategies to maintain, process and disseminate
information that can be used for decision making by different stakeholders of the
organization. Lack of a strong information system fundamentally increases the cost of
organizations while trying to manage information in an unstructured, ad hoc ways (Petrides,
*
Muhammad Saifuddin Khan, Lecturer, Department of Finance, University of Dhaka, Dhaka-1000, Bangladesh.
E-mail: msaifuddin_1@yahoo.com
Suborna Barua, Lecturer, School of Business, United International University, Dhaka-1209, Bangladesh.
E-mail: subornobarua@gmail.com
*** Both authors have equally contributed to the article.
2004). And financial institutions are not an exception. One of the biggest challenges for a
financial institution is the large bulk of customer and transaction information they preserve,
and increasing networks everyday that enables the institutions to create innovative and useful
services (Watanabe Y., and et al., 1998). Thus, a strong information system is far more
crucial for banking institutions than others (Petroni, 2004). Inevitably, a dynamic
management with its timely principles utilize the information technology and systems to
promote new products and manage new business (Nagaoka, Ukai, and Takemura, 2006). It is
extremely crucial because information security enables to gain competitive advantage, and
creates new business opportunities (Horton. R. T and et al.). As a reference, in the U.S.A. the
cost of credit card and different other chargeable cards fraud was around $985 million in
2000 burdened on both the customers and the companies (Kevin Coffee, 2003). Also internal
flawed information security system also is considered as a big threat. In USA, National
Institute of Standards and Technology (NIST) reported that faulty security systems cost the
US economy $59.5 billion annually in the form of breakdowns and repairs (NIST, 2002).
Bangladesh is in such a condition where banks must remove any gap available in ensuring the
information security. With a good number of local and foreign banks, Bangladesh a country
with 150 million population, is experiencing in a rapidly expanding banking sector. Banks are
widely introducing new products based on information technology to survive and remain
competitive in the intensly competitive market. Therefore, the wide range of IT based
financinal products available in Bangladesh certainly calls for efforts to understand the
dynamics of required security of the information assets.
The study is divided mainly in six sections. Section one discusses the background
information, section two illustrates the literature review, section three outlines the research
objectives and methodology, section four presents the current scenario of the information
technology based products and services along with the state of information security in
Bangladesh banking sector. The fifth section discusses in detail the in depth analysis of
survey and study findings, and finally section five identifies the challenges and solutions,
recommendations and conclusions to the paper.
2. LITERATURE REVIEW
The worldwide Information Security market was worth $6.7 billion in 2000. With a
Cumulative Annual Growth Rate (CAGR) of 25.5 percent, this market is projected to more
than triple to $21 billion by the end of 2005 (Network Magazine, 2003). Information security
is basically comprised of ensuring five key terms confidentiality, integrity, network
security, application security, and host security (Usher A., 2006). Information security
means administrative and technical actions to ensure that information can be accessed only
by authorized persons, information cannot be changed by unauthorized persons and
information systems are available to authorized persons (Finnish Act on the Protection of
Privacy in Electronic Communications, Shkisen viestinnn tietosuojalaki, 16.6.2004/516)
(Holappa J., et al., 2005).
In the UK, financial institutions perceives data breaches (any form of frauds/concealment) as
a major reputational risk that would create a direct financial loss through regulatory fines,
recovery costs and loss of business (Logica, 2008). In Australia, Consumers
Telecommunication Network 2006 report stated that a vast majority of consumers have
experienced many e-security threats despite using a range of security products. Banks
generally uses digital security to maintain competitive advantage, build brand image, and
meet statutory regulations (Rai, 2008).
An Atlanta ARMA meeting in May 20, 2008 shows the trends and observations on threats to
information security in 7 broad categories that include: a) strong and enhanced hacking b)
existing unfixed vulnerabilities, c) increasing number of strong malwares d) web browser
exploitation by users, e) uncontrolled liberal use of wireless internet at the niche level, f)
deliberate remote access connectivity via virtual private networks (VPN), and finally, and g)
increased phishing leveraging readily available personal data and common file attachments.
The danger of niche level massive wireless usage and remote access is that a single insider
can cause extensive financial damage or irreparable damage to an organizations data,
systems, business operations, or reputation (Keeney M, et al., 2005).
Usmani K. (2008) identifies the threats to information security in four broad categories:
malware, attack through e-mail, spam associated threats, and phishing. Malware threats
reduce system, network and workstation performance thereby employee performance. These
These results also reconfirmed by a statistical study of internet security threats by James G.
D. (2007) stating the rate of infections in 2006 in USA spam (75% with productivity loss of
$21.6b per year), trojan viruses (31%), and spyware/malware (89%), phishing and hackers. In
November 2006, the attempt rate of hacking and stealing information in UK banking brands
was 11% while 75% of false banking sites targeted clients of US banks. (James G. D., 2007).
Globally, the UK hosted 2% and US hosted 63% of phishing sites globally (RSA Stats,
2006).
Researchers and practitioners have examined the factors behind managing the information
security critically. For different threats, they have shown different measures how to deal with
the threats to information security. To protect the increasing threats, in the life, savings and
investment, and pension sector, all the companies reported that their security budgets had
increased significantly over the last one-to-three years, while two companies say that they
will double security spending in 2008-09 (Logica, 2008). The Logica (2008) report also
stated In the UK, the real cost of a data breach might be nearer the American level of 3.3
million ($6.3 million) per incident including the average cost of a data breach was more than
1.4 million in 28 data breaches across eight industry sectors of which financial services
industry was 17 per cent higher. According to Usmani K. (2008) to fight malware; good user
education, keeping the operating system up to date by installing operating system security
fixes and program patches, using firewall protection, using anti-spyware softwares, using
monitor logs for unusual traffic. For email security securing the server to client connections
and the end-to-end email delivery is crucial, beware of emails from unknown parties
(unsolicited emails), not to open suspicious attachments and spams, and avoid registering in
4
external mailing list. Usmani K. (2008) also suggested a must use of updated antivirus, anti
Spyware, and spam filters to avid phishing. To ensure highest level of information security,
the State Bank of India manages their information security based on six pillars security
governance, consulting, compliance, incident control, monitoring, and security awareness for
its stakeholders (Kishore. P., 2008).
It is important to note that the future is obviously will be harder as the information
technology advances than what it is today, and will need very concentrated effort.
Information security threats and attacks are becoming exponentially sophisticated,
communicable, and threatening (The Business Edition, 2006). Libicki (2008) shows some
ways how the future problems may be. According to Libicki (2008), use of learning system
or neural nets may result in massive destruction if the base on which it works is wrong, and
badly designed agents, servers cycling forever for an answer, mutually destructive server-toserver communication, or and malevolent agents looking for certain outgoing mail, fast
growing hi tech hacking. Moreover vulnerable wireless security protocols, increasing attacks
through cross-site scripting (XSS), cross-site request forgery (XSRF), generating malicious
softwares that can bypass most (if not all) of the current signature-based antivirus products by
hackers using simple commands, attacks through websurfing in corporations, and a
possibility of fall in training budget (Strand J., 2009).
The Georgia Tech Information Security Centre (GTISC), on October 2, 2007, predicted for
2008 a number of cyber threats that may be dangerous for information security such as clientside attacks, and targeted messaging attacks. On the other hand another IBM's X Force report
for security and trend statistics has evaluated the various classes of threats, including an in
depth analysis of 410,000 new malware samples that shows that gaining unauthorised access
(50%) followed by denial of service (13.8%), data manipulation (11.2%), obtaining
information (9.3%), bypassing security (6.5%), gaining privileges (5.7%) and file
manipulations (1.3%) are going to be the biggest information security challenges in the near
future (Anand V., 2008). Other than the popularly known threats such as hijacking websites
poisoning Domain Name System (DNS), difficulties in tracing parties storing and transferring
data in complex and huge corporate network, extensive and liberal use of Social Networking
Sites (SNS) may become a dangerous area for data privacy and security as the industry
experts in UK commented (Heath N., 2009).
5
Usher A. (2006) identified traditional threats such as hacker activity, worms & viruses, spam,
spyware, and phishing where network security strategies do nothing to protect against devices
connected inside the enterprise network (widespread use of wireless technologies and
secondary storage). For protection from the threats Usher A. (2006) suggested five points assessing technology environment regularly, adapting updated security policy, having a
rigorous and effective user awareness plan, putting policies and procedures into action
effectively, and finally assess effectiveness and revising policies if needed. Threats to
information security are increasing day by day. These dynamics are changing and taking
extremely difficult-to-prevent shape. Therefore, this generation information security wave is
about Security Audit and Certification. This covers not just technology, but also people and
processes. Enterprises will approach security from the attacker's end and safeguard against
new risks like social engineering and dumpster diving.
Financial institutions in the globe have many different forms for example central banks,
commercial banks, securities brokers, and life insurance companies. Despite the increased
and expanded networking, banks have to analyze transaction data for any given customer so
that it can offer customers better personalized service (Watanabe Y., et al., 1998). Evidently,
a study on nationalized banks of the Florida state empirically proves the positive role and
contribution of information systems to a banks efficiency (Gupta U. G. and Collins W.,
1997). The Federal Financial Institution Examination Centre and Federal Deposit Insurance
Corporation have laid out different policies, regulations and guidelines to ensure secured
information system in Banks. The rapid expansion and global reach of financial institutions,
especially who offer products and services to clients worldwide online are in greater danger.
Evidently, the National Criminal Intelligence Service has shown an exponential growth of
computer crime in the United Kingdom (NCIS, 1999). Thus an integrated system for finance,
management, marketing and other functional areas have to be built in financial institutions.
Realizing the need for study in this area, the objectives of the proposed study are framed in
the following terms in the context of Bangladesh:
(i) To identify the different dynamics, quality and areas of use of information
techonology in the banks.
(ii) To Identify and investigate problems relating to information security and threat in the
banking sector.
(iii)To identify critical success factors for effective information security with particular
reference to the banking sector.
(iv) To discuss the future of information security and threat in the banking sector, with
the growing consciousness of information security.
METHODOLOGY
The study uses both primary and secondary data. Secondary data has been obtained from
different online and physical sources. The major strength of the study is the primary data it
has used. A four page questionnaire with 40 questions has been used to accumulate primary
data. The questionnaire was sent to a total of 15 banks but 11 of them responded. The study is
designed and enriched in detail analysis of all the data and information acquired from the
filled in questionnaire of the 11 banks. This list of 11 banks is shown in Appendix-4 of this
study. The study is divided mainly in three sections. Section one discusses the preliminary
issues, literature review and background information, section two details the state of
information security and the in depth analysis of survey findings, and finally section three
identifies the challenges and solution approaches in ensuring information security in
Bangladesh followed by a concluding paragraph.
Although many banks in Bangladesh are providing electronic services to their customers the
level of involvement of electronic methods is yet to be in full fledge in delivering and
managing the business. Because they offer some of the functionalities of the complete
electronic banking like intra-bank transactions, Letter of Credit (LC) and foreign exchange
etc. In case of inter-bank transactions, central bank authority handles the procedure. Banks as
well as employees are benefited implementing information technology in Bank because this
system has some advantages over traditional system. Advantages are as follows: faster
information handling and processing, to accomplish audit, government officials need to go to
every bank. After IT implementation they do not need to go to banks rather they can collect
7
the same information through network and audit report can be generated within few minutes.
In traditional system it is time dependent to transfer money from city to remote area and also
a matter of some investment. During the transfer time the money is idle so its a great loss for
the bank as well as customers. Electronic system can be used to transfer money within a few
seconds (Intra-bank).
Trojan virus, Spy ware/malware, Spam, Hacking and stealing information, Dishonest insider,
Phishing, Worms, Web browser exploitation by users, Deliberate remote access connectivity,
stolen user ID and Password, Modification of data etc. these are now the most common name
in the world of online threat. In Bangladesh more or less they had already introduced their
enough vulnerability to Banking Industry. Some 40% of the Banking service providers are
aware enough about Trojan virus and Spam because they have to face it with a very high
frequency along with a low intensity of information losses by them. But the amount of
recovery is very high. Another 40% are frequently facing spy ware/malware but in such case
20% of these victims face it with high frequency causing a very low intensity of information
loss and rest other victims faces it with a rare frequency. Other online threats are rarely faced
with a very low level of information loosing intensity.
IT PLATFORMS USED
The rapid development and inclusion of information technology has both aided the
development of the banking industry in Bangladesh and also has created riskier environment
for information pass away in Bangladesh. The rapid advancement in IT tools have given the
banking system in Bangladesh an accelerated pace in service expansion and product
diversification with higher quality. As the sector is yet to get the maximum utilization of the
state of the art technology, banks are rapidly applying available and suitable tools to increase
9
their power in the highly competitive environment. The survey conducted for this study
explores the different dynamics of the practicing technology and thereby preparedness to
ensure information security in the banking sector of Bangladesh. The major IT platforms used
by around 90% banks in Bangladesh are detailed below:
Automatic Teller Machine (ATM): All surveyed banks have own or shared ATM networks
where ATM services are widely available for more than 70 percent of the banks operating in
Bangladesh. Dutch Bangla Bank Limited has leverage of the largest ATM networks of more
than 200 ATM booths throughout the countrys almost every part. As on October 2007,
Bangladesh has 438 ATMs (Daily Star, 2008), 10,526 POS, 7.7 lakh debit and 30,000 credit
cards issued by all banks in the country. The volume of transaction using ATMs has
increased substantially during the last few years due to the availability of booths and the
benefit of non-cash money.
Online Banking: Online banking allows bank transactions to be conducted within closed or
open networks. Online banking is considered to be a segment of e-business to the extent that
banks are involved in the conduct of business transactions via electronic media especially
through internet. Currently full fledged online banking service is offered by top banks in
Bangladesh including Standard Chartered Bank, Eastern Bank, Dutch Bangla Bank Limited,
Southeast Bank Limited. Services in online banking in Bangladesh include online balance
checking, instruction delivery, account monitoring etc. While conducting study on the online
banking, we observed that only eight private commercial banks started truly online banking
but no nationalized banks yet to introduce online banking in a sense. All the Foreign
commercial banks are operating their banking through online procedures. It has been noticed
that almost fifty percent of the private commercial banks started computerized banking which
actually do not serve the purpose of online banking.
Virtual Private Network: Almost 50% of the surveyed banks have virtual private network
in the form of wireless intranet intra organization networking. Using the intranet employees
inside the banks exchange data and information with each other. In major cases banks have
no restriction or control on employees in sharing information inside the organization though
intranet.
10
Wide Area Network or Local Area Network (WAN or LAN): Some 95% banks reportedly
have either WAN or LAN or both. In most cases, banks in Bangladesh have LAN which is
created inside the organization that is accessible from different branches in different locations
within the city. The nature is similar to MAN or Metropolitan Area Network.
Network Server: A network server is a mass storage or a designated computer used to the
process of storing, delivering, managing data for the users over a local area network or the
internet. Such as Web servers, proxy servers, and FTP servers. In over all sequence a network
server is designed to manage network traffic. Almost every banking institution of Bangladesh
has its own network server, where as every authorized employees has access in that network
server. They have specific server space, names and IDs. They generally use this space for
storing data, financial analysis and backing up account information.
Modem or modem pool: A modem is a kind of device which transfers digital data through
analog wave. In recent age people almost use motherboard with inboard modem under builtin technology. Corporate companies like banking institutions have a great use of modem
under a host server. They are pooling their modem through 56 to 128 kbps speed. In order to
ensure rapid expansion of services and accelerated increase in internet penetration much and
more people are getting opportunities to use modem and modem pools.
Portable devices (PDAs, Laptops, Cell phone etc.) : Potable devices are the powerful
devices of data transformation which is easy to carry out .The banking institutions have a
standard security protocols in using the portable devices in the office. The use of PDAs,
11
laptops and cell phone are seen greatly in these institutions. Almost every middle and top
class executives are using portable devices frequently with the permission of their institution.
The information security survey on Bangladesh banking sector and detail examination on this
sectors information security concerns have yielded the following critical findings.
% of Banks offering
23.1%
19.2%
15.4%
7.7%
3.8%
7.6%
Table-2 illustrates the percentages of the above features on the basis of their level of access
within the regular working environment of Banks in Bangladesh. According to the use of
these features by both internal and external parties, internal parties enjoy 100% access to
12
these facilities where external parties possess almost 80% access. Table-2 illustrates the level
of access of both of these parties to these facilities.
Table-2: Level of Access and Use of these features by both of the parties (%)
60
-
40
-
Information of the bank is kept much secured by providing a limited access to the employee
according to their positions and also according to the requirement of business policies.
Without proper authorization employees are not allowed to use any kind of flash drives or
any kind of mass storage devices. Generally employees are allowed to check mails only for
visualization of their instructions or understanding the situation. They can not edit or use it
for any other means. Even employees have strict restrictions on using their provided PCs.
They are not expected to move any where without shutting it down, but accidentally if some
one, by the built-in-system the PC will shutdown itself within 3 minutes. And the person
responsible will have to go through a penalization procedure. In many cases, the unauthorized
100% access to all the platforms by dishonest insiders also may cause a great loss, and thus
expose the organizations to greater degree of risk. Therefore, from that perspective the 80%
access level by externals also seems to be pretty high. These all are because there are a
clearly stated policies, procedures and guidelines for securing, maintaining and monitoring
the system in ones own IT environment. Table-3 in the policy section illustrates the
percentages of Banks written policies, procedures and guidelines for securing, maintaining
and monitoring the following system or platform under their own Information Security
Program.
13
This is obvious that the quality of the technology used to manage and protect the information
is a very important aspect. This is because an underdeveloped or old aged technology may
case severe cost financially or any other way when banks face large physical damage of
hardwares (such as storage devices, machine breakdown or inability to create data and
information backup). Poor quality technology also creates vulnerability as it may not prevent
unauthorised access and sharing of information because of its incompatibility with updated
security protection tools. Interesting findings were there regarding the quality of technologies
used by the banks while working with different identified platforms. Table-3 illustrates the
findings form the survey.
(%) High
(%)Low
20
40
40
66
95
5
85
40
60
66
40
60
40
20
95
15
50
30
34
40
40
20
14
5
10
10
-
The quality of technologies is alarming in case of ATMs which are widely and popularly
used by daily customers. Even though this has been on of the very important tool to remain
competitive in customer service delivery, only 20% of the banks have reported that they use
very recent, high end technology in providing ATM services. Some 40% were reported their
technology used in ATM services as low. This is quite an important indication that ATMs as
serves as information storage, processing, and transferring, any damage to the low end or low
quality technology may cause in severe damage in goodwill and thus significant loss in
business. The highest quality is used in Wide Area Networking and Local Area Networking
that allows the employees to access, share and transfer data and information through wireless
and wired technology respective. This finding substantially validates the faster deliver techoriented products and services by the Bangladeshi banks. Another major observation is the
14
use of high end technology in monitoring and controlling data transfer that protects the
information to be secured. Some 90% of the banks use at least high end secured technology
posing the rest 10% banks into risk of unauthorized data and information transfer beyond the
poor security technology.
% of All Banks
34%
26%
17%
19%
4%
% of All Banks
47%
76%
49%
24%
The major causes found why the banks feel themselves posed to greater degree of risk are
shown in Table-6. Essentially proved that the employees in banks are almost in all cases do
not have proper training on the importance and process of securing information. Lack of
training initiatives, resource persons, under prioritizing the training need are causing banks
not to train their manpower. This also leads to lack of adequate knowledge on information
security management that has been responded by 47% banks as a cause of their perceived
risk. The top management or the directors are also in many cases observed not to be aware of
the issue. The inadequate resource availability and prepared is essentially making banks
stagnant and thus not prepared to respond instantly to any sudden damage takes place. Some
15
49% banks think this as a major reason for their perceived risk. And the other major reason is
the irregular and infrequent update to the up to date technology, software, and information
security threats (24%). This is also due to probably the under-prioritizing the issue of need for
better information technology.
No. of Banks
possess such policies
80%
73%
71%
77%
63%
55%
41%
47%
57%
44%
Statistics in Table-4 shows quite a good status. Banks having different IT platforms for
information processing, sharing, and transferring have separate written policy documents.
16
Some 70% to 80% of the surveyed banks have documents that guide the use of the ATM,
online banking facility, network server, and virtual private networks. This is a very good sign
because apart form the ATM, all other platforms are very important channels of information
access, sharing, and transferring. Therefore, having documents to shape the use of these
platforms certainly prevents unauthorized access at least to a minimum degree.
But
alarmingly, more than 50% of the banks are using wireless network, firewall and proxy
security tools, and remote access without any written policy guideline or code of use that
poses these banks to extreme degree of risk. It is because all of these platforms in this current
age are considered as the most likely channel through which people can try to have
unauthorized information access and sharing.
Bangladesh Bank on October, 2005 outlined a common ICT risk management guideline titled
Guideline on Information & Communication Technology for Scheduled Banks and
Financial Institutions to ensure security of information and information systems that covers
all electronically generated, received, stored, printed, scanned, and typed information, and
has been made mandatory for all banks and non-banking financial institutions. The guideline
is formulated presenting the minimum preparation of the institutions regarding all activities
and operations required to ensure data security including facility design, physical security,
network security, disaster recovery and business continuity planning, use of hardware and
software, data disposal, and protection of copyrights and other intellectual property rights.
The guideline clearly outlines the policies for IT Operation Management, Physical Security
(Tier-1, Tier-2, Tier-3), Information Security Standard and Service Provider Management.
Every bank having IT systems must have an IT POLICY which must fully comply with this
IT Guideline and be approved by the Board of the bank. For foreign banks the document
must also be in conformity with their global policy document. This document will provide the
policy for Information & Communication Technology and ensures its secured use for the
banks. It establishes general requirements and responsibilities for protecting ICT systems.
The policy covers such common technologies such as computers & peripherals, data and
network, web system, and other specialized IT resources. The banks delivery of services
17
The Bangladeshi government is working to make a law to check computer hacking in the
country with punishment of 10 years prison term or fine of 1 million taka (14, 300 U.S.
dollars) or both to the hackers. The law named "Ministry of Information and Communication
Technology Act 2006" will have provisions of establishing cyber- tribunal. Under the law,
those who give obscene information or do things which are defamatory to others, disclose
secrets through computer will also be punished. The law will have provisions against
committing crime using computers.
The problem is that Nationalized Commercial Banks (NCBs) are the unique market player
with more than 50 percent of market share, so ICT penetration is more crucial for this
category of banks. Some midrange and mainframe computer systems are available in the
banking sector. Some 95 percent of the surveyed banks in have Management Information
Systems. But only 38 percent MIS are integrated to the Transaction Processing System
(TPS). Moreover, the absence of adequate physical resources (e.g. computer hardware and
software) and weakness in course contents in the training institution will adversely affect the
quality of output from the institutions (Chowdhury, 2001).
Table-7: Challenges to Ensure Better Information Security
Challenges
Lack of adequate knowledge
Lack of Proper Training
Do not have quick response ability
Lack of Active Government Responses to the need
Not Updated with the high end solutions regularly (time lag exists)
Human Resource Constraint
% of All Banks
67%
56%
55%
44%
17%
7%
18
The survey findings on major challenges identified by the institutions are detailed below:
Lack of adequate knowledge: As explained in the earlier sections the top management and
the employees at different levels in the banks are not really aware on the danger and
importance of addressing the issue. Therefore, in many banks, as opined by the bank
respondents, the issue of information security is not taken into consideration as prioritized.
Therefore, this creates opportunity for the dishonest people or hackers pass out information at
any moment due to the lack of awareness. Some 67% of the banks have agreed on this point.
Lack of Training: Employees even in many cases the top management of the banks are not
equipped with adequate and up to date training on making secured environment for
information management. Some 56% banks feel that they have no or insufficient training for
all employees. Therefore, the strategic importance of information security is once again
undermined by the employees at all level in the banks and thus deliberately or unknowingly
creates opportunities for information loss through information loss or physical damage. Lack
of specialized training centers is also a pivotal cause behind this.
Not Updating Security System Regularly: Some 17% banks believe that banking sector in
Bangladesh is yet to have pace in regular updating the software and up to date security tools
such as antivirus, firewall, proxy settings to prevent Malware, spyware, Trojans etc. There are
19
many banks which do not spend much time and pay less attention in updating their hardware
and software. This is also another proof of under-prioritizing the issue.
Human Resource Constraint: Some 7% banks believe that there are not much expert
human resources in the country who can supervise the whole industry in creating an enabling
environment in the banks to secure information. Lack of national expertise or consultation is
creating drawbacks in the process of developing a knowledge base and the infrastructure on
information security.
Table 8 below lists the major suggestions accumulated from the surveyed banks on the
issue of how to create a better environment to protect information.
% of All Banks
83%
58%
54%
46%
41%
Mandatory In-house or Outsourced Training Programs: Some 58% banks opined that
Bangladesh Bank the central bank of Bangladesh must make the in-house or outsourcing of
training for all employees of every bank. This policy direction would make the banks more
proactive in creating conscious human resource pool that would contribute in preventing
unauthorized access to information.
20
Central Monitoring by the Bangladesh Bank: Bangladesh Bank as the facilitator and
monitor of the whole banking industry should have separate monitoring and supervision
division dedicated to monitor the information flow and preparedness of banks in mitigating
information insecurity. Some 54% respondents believe this would help the whole industry to
be more efficient in information management. This would require the Bangladesh Bank
develop its own strong and up to date infrastructure. The Bangladesh Bank also should
oversee that ICT policy proposed by itself is implemented effectively.
Apart form the survey findings; the study identifies some very important points that might
serve as valuable starting points for ensuring information security.
establish large scale and nationwide central training and monitoring centres, facilitate banks
with adequate expertise etc.
The corporate sector of Bangladesh has not yet felt the pinch of information security
vulnerability much. Every industry in the country is still rising and therefore their strength
and resources are also still developing. There are some industries such as the Banking, Non22
Banking Financial Institutions, Telecommunication etc. which deal with millions of customer
and institutional information everyday. Especially the performance and reputation of banks
are largely sensitive to the information security. Some banks have already faced some
security threats and thus have born a good amount financial and reputation loss (such as
National Bank Limited). Lack of awareness, training of employees, unavailability of proper
expertise, guidelines and consultation has resulted in such loss. But the situation as expected
the respondents of the survey may deteriorate in the coming days. Banking sector in
Bangladesh has been rapidly expanding. Therefore there is a sheer need and importance of
information security. The study shows that banks in Bangladesh have different platforms of
information processing, sharing, and transferring. Many of these banks are facing physical
and online information damages regularly. Although many banks have their own ICT risk
management policy, lack of proper implementation of the policy is exposing more banks to
greater degree of insecurity of their institutional information, and also the information of
huge number of customers. The sensitivity of the issue is always quite high. Therefore, the
government and the Bangladesh Bank should take the lead in paving the way for ensuring
information security. As a banks success largely depends on its reputation in this competitive
age, an unprecedented event may lead to huge business loss. Therefore, the banking industry
as a whole should be aware enough to accommodate the issue of information security in its
own strategic policies.
23
REFERENCES
(i)
Anand, V., 2008, Future Security Threats Outlook, PC Quest, Available at:
http://www.iss.net/xforce_report_http://pcquest.ciol.com/2008/images/2008/index.html, April 05.
(ii)
(iii)
(iv)
Coffey, K., 2003, Crooks Who Use Your ATM Card As A Passport To Your
Account, Available at:
http://kevincoffey.com/money/atm_debit_card_fraud_information.htm
(v)
(vi)
(vii)
(viii)
Georgia Tech Information Security Center, 2007, Emerging Cyber Threats Report
for 2008, Leading technology experts share thoughts on top emerging Internet
threats for 2008, October 2, Available from:
www.gtisc.gatech.edu/pdf/GTISC%20Cyber%20Threats%20Report.pdf
(ix)
Gupta, G. U. and Collins, W., 1997, The impact of information systems on the
efficiency of banks: an empirical investigation, Journal of Industrial Management
& Data Systems, Volume 97, Issue 1, Page 10 16.
(x)
Heath, N., 2009, The five biggest security threats facing businesses today: From
the poison pharms to the cloud's evil lining, February 04, Available from:
24
http://www.silicon.com/research/specialreports/future-proofing/the-five-biggestsecurity-threats-facing-businesses-today-39376850.htm
(xi)
Holappa, J., Ahonen, P., Eronen, J., Kajava, J., Kaksonen, T., Karjalainen, K.,
Pekka, J., Koivisto, Kuusela, E., Ville, Ollikainen, Rapeli, M., Sademies, A. &
Savola, R.,2005, Information Security Threats and Solutions in Digital Television:
The Service Developer's Perspective, VTT Electronics Research Notes 2306.
(xii)
James, G. D., 2007, Statistical Analysis of Internet Security Threats, March 25,
Available from:
http://www.infosecwriters.com/text_resources/pdf/Statistical_Analysis_Internet_
DJames.pdf
(xiii)
(xiv)
(xv)
(xvi)
Kun M. L., 2004, Emerging Technologies and Innovation in Banking: Drivers for
Growth, Gartner Inc., Miami.
(xx)
Logica, 2008, Information security in the UK life, savings & investment and
pensions sector: A Logica snapshot survey, May 20.
(xxi) Merkow,M & Brelthaupt, J., Information Security Principles and Practices
25
and
A.,
2008,
Keeping
Digital
Vigil,
Available
from:
http://www.livemint.com/articles/2008/07/27220545/Keeping-a-digital-vigil.html,
July 28.
(xxviii)Raihan, A., 2001, Computerization and IT in the Banking Sector of Bangladesh:
Hindrances and Remedies. A paper presented in the National Seminar organized
by BIBM, June 09, Bangladesh
(xxix) Smith, N. G. and Oppenheim, C., 1994, The role of information systems and
technology (IS/IT) in investment banks, Journal of Information Science, Vol. 20,
No. 5, 323-333.
(xxx) Smullen, J., 1995, Financial management information and analysis for retail
banks, Woodhead Publishing Limited, October.
(xxxi) Strand, J., 2009, Future security threats: Enterprise attacks of 2009, Jan 12,
http://www.searchsecurityasia.com/content/future-security-threats-enterpriseattacks-2009.
(xxxii) Usher, A., 2006, Essential Strategies for Protecting Against the New Wave Of
Information Security Threats, Sharp Ideas LLC.
(xxxiii)Usmani,K.,2008, Information Security Threats and Measures, (CERT-MU)National Computer Board, Workshop on the adoption of Information Security
Standards,
Ebene
Cyber
Tower
26
Conference
Hall,
Available
from:
http://www.gov.mu/portal/sites/cert/files/presentations/Information%20Security%
20Threats1.pdf
(xxxiv) Watanabe, Y., Mizuno, Y., Yamada, K. and Inoue, S., 1998, New Financial
Information System for the Network Computing Era, Hitachi Review Vol. 47, No.
6.
27