- Mehedi Hasan
Md. Mehedi Hasan has recently joined at newly created Cyber Security Unit (CSU) in Bangladesh Bank as Chief Information Security Officer (CISO). In his twenty years of experience, Mr. Hasan performed different important roles in business transformations and ICT Security in NCC Bank and Uttara Bank Limited. He started his career in a multi-national software development company as a programmer. He completed his graduation in Computer Science and Engineering from Khulna University.
Cybersecurity is a cultural issue of an organization comprising of people, process and technology. Most of the times, in our country we always try to resolve the cyber threats by introducing relevant technologies which cover only 20% and the rest 80% is ignored which is covered by people and process. Moreover, if people and process are not considered to operate the technology effectively and efficiently, the technology which is deployed in the ICT infrastructure to protect it, it will rather create risks for the organization. For example, a bank has procured a world class firewall but if a dedicated firewall administrator and a standard operating procedure for the firewall administration are not in place, this firewall will not ensure security for the organization.
ICT Security policy plays a vital role to ensure a robust cyber security program in any organization. Bangladesh Bank has already published an ICT Security guideline 3.0 for all banks and NBFIs to ensure baseline security against cyber threats. Accordingly, all Banks and NBFIs have developed their own ICT Security Policy but in most cases the implementation of the policy is not at the satisfactory level. In banking industry, lack of a positive attitude towards policy compliance is one of the major barriers to implement a robust cybersecurity system in most of the organizations.
Organization should apply a holistic approach for implementing a robust cybersecurity program under an enterprise risk management program. ICT Risk responsibilities should be well defined among the ICT asset owners and custodians so that the ICT risk issues can be resolved in time. Banks may consider a GRC (Governance, Risk and Compliance) solution to enable a visibility of enterprise level risk management. Few banks in our country have deployed GRC solution for managing their risk management program effectively.
In our Banking industry (especially for local commercial banks, state owned banks), while any IT security or Cyber Security issue is raised, it will be referred to CTO or CIO. C level executive (CISO) for Cyber Security or Information Security is absent in most of the Banks. Some local banks which are advanced in Cyber Security, a separate department has been created with the engagement of some employees headed by Head of IT Security but their reporting line is CTO or CIO. Banks may consider the independence of the ICT Security department or Cyber Security department in its own governance structure to make it effective for timely mitigation of risks. Recently, Bangladesh Bank has introduced an independent Cyber Security Unit under the direct supervision of CISO to look after the cyber security and ICT risk management issues of the Central Bank.
Periodic risk assessment will help us to identify the existing risks and mitigate those risks before exploitation by cyber criminals. Internal risk assessment will be performed by Internal Audit Department and Cyber Security Department. Side by side, periodic external risk assessment by a trusted third party needs to be performed to ensure continuous improvement of the cyber security system.
From the survey, it is found that very few organizations adopt framework based approach (PCI DSS, ISO 27001-27002) without facing major incident. Some organizations ignore it even after facing a major incident. As a result, a baseline security cannot be ensured and the organization runs with major risks year after year and a chance of cyber incident is very high because cyber criminals are always hunting for the weaknesses of the ICT systems of a targeted organization. In our Banking industry, few banks have adopted PCI DSS and ISO 27001-27002 certification and some banks are in pipeline to get the certification. Bangladesh Bank has already emphasized all the Banks to implement PCI DSS on urgent basis to protect the card holder data. The implementation of the industry standard certification will ensure baseline security and its yearly renewal will ensure continuous improvement of the Cyber Security System.
Threat Intelligence plays a significant role to manage the cyber-attacks effectively. Computer Incident Response Teams (CIRTs) of all financial organizations may communicate with each other regarding current threat issues and take proactive action before exploitation. Recently, BGD e-GOV CIRT has played this role effectively and informed it to Bangladesh Bank to make the financial organizations aware of Fastcash 2.0 malwareattack and take precautions thereof. In advanced countries, an independent authority has been established to take any incident from a victim organization without mentioning its identity and circulate it to the specific segment of business to take measures for the protection. In Bangladesh, we have not yet established such an authority and most of the organizations are hiding their experience of cyber incident to protect the loss of reputation. As a result, many organizations can’t be able to take precautionary measures for the protection and fall into the same cyber-attack.
In most cases, most of the Banks cannot respond to an incident at an early stage for the lack of visibility of their ICT infrastructure. So, the incident turns into a disaster and the recovery time of the affected ICT systems is very high. In our Banking industry, few banks have deployed Security Information and Event Management (SIEM) solution to get a visibility of the incidents, but all of them have not yet implemented Information Security Operation Center (ISOC) to monitor their whole ICT infrastructure by 24X7. As a result, banks are getting the information of incident from the customer complain. Bangladesh Bank has advised to all Banks and NBFIs to implement Information Security Operations Center (ISOC) to monitor their whole ICT infrastructure by 24X7.
In some cases, critical administrative user IDs are under cyber-attack and it may create havoc for the ICT systems of an organization. To monitor and manage the administrative credentials effectively, Privileged Account Management (PAM) solution will be required for all Banks and NBFIs. But, few banks in our country have deployed this solution to manage their administrative user IDs effectively and efficiently. In addition to this, Banks may consider Next Generation Firewall, End Point Protection with EDR, Web Application Firewall, File Integrity Monitoring to build a robust cyber security system.
Skilled manpower is a key factor to ensure effective cyber security in any organization. Advanced level training will be required for the security analysts to thwart the cyber attacks. Moreover, each financial organization may consider a forensic investigation team with proper forensic tool to find out the root cause of the incident and take necessary measures to protect the organization from same type of attacks. Professional certifications like CISA, CISM, CISSP, OSCP, CEH, LPT, CHFI will be required to ensure quality service in the Cyber Security Department. Many Banks & NBFIs are not willing to spend money for ICT security related advanced training or for the professional certifications to build up cyber security expert in the industry.
Cyber Security is the responsibility of all employees of the organization. So, employee awareness on the current cyber threat landscape can play a vital role to build a human firewall for the organization. Today, social engineering is very popular way to implant a malware in any target organization and only the technology is not sufficient to protect the organization without comprehensive security awareness program. Our Banks are taking initiatives to make their users aware of cyber risks and now it is required to create public awareness about the cyber risks because a good number of banking services are being rendered through internet. If the customers are not aware of cyber risks, banking systems may be compromised.
Cyber security program will be effective in any organization if it can be implanted in its culture. When all the relevant stakeholders(Employees, Customers, Vendors etc.) of an organization are aware of the cyber risks to perform their day to day job and act accordingly can ensure the cyber security throughout the organization.