The growing number of online financial transactions and increasing digitalization of the banking process have made it imperative for the country’s banking and finance sector to take systematic measures to combat hacking and other cyber crimes. However, the absence of a centralised body to coordinate cyber security measures—that is, a Computer Security Incident Response Team (CSIRT)—has put all online financial transactions of the country under threat, feel experts.
CSIRT is considered one of the most important agencies in online banking. This organisation receives reports of security breaches, analyses the reports and responds to the senders. A CSIRT can be established in a group or on an ad hoc assembly basis.
There are various types of CSIRTs. A national CSIRT monitors cyber security of an entire country. There can be sector-wise CSIRTs to cover the entire banking and finance sector. Even an individual organisation like a bank can have its own CSIRT, which can be linked with the sector CSIRT. After the recent Bangladesh Bank (BB) heist, the demand for a central CSIRT for the banking and finance sector was raised again.
A high-ranking official of BB confirmed that commercial banks have been pressing for a centralized CSIRT and have asked BB to coordinate the effort to establish it. The official, however, conceded that a centralised CSIRT cannot be set up at short notice. The BB official pointed out that Sri Lanka could set up a CSIRT for the banking and finance sector only in 2014, after six years of planning and policymaking. The Sri Lankan CSIRT is hosted and managed by LankaClear (Pvt) Ltd, under the guidance of the Central Bank, and with the assistance of the Sri Lanka Computer Emergency Readiness Team and the Sri Lanka Banks Association (SLBA).
The BB official added that the Sri Lankan CSIRT had not been easy to implement as they had to overcome many obstacles, including the reluctance of banks to share sensitive information. The banks in Bangladesh are yet to reach a consensus on a centralized CSIRT. Many banks are reluctant to share information. However, after the recent BB cyber heist, most of them want a centralised CSIRT.
Omar Faruq, secretary general of the Bangladesh chapter of the Information System Audit and Control Association (ISACA), conceded that a centralised CSIRT under the guidance and supervision of BB has become imperative for information security protection of the financial sector. ISACA is an international professional association focused on IT governance.
He pointed out that a specific information security framework as well as guidelines were also missing in Bangladesh. “The BB needs to come up with a specific framework and guidelines; otherwise the measures for ensuring information security will be taken on a piecemeal basis, like it is being done right now.” He said the Indian chapter of ISACA had aided the Reserve Bank of India to establish Control Objectives for Information and Related Technology (COBIT), a framework created by ISACA for information technology (IT) management and IT governance to regulate policy for ensuring information security.
“From the Bangladesh chapter of ISACA, we have offered our aid in establishing the framework. This is required because even if a financial institution buys the highest security package for itself, a security breach could happen because of one employee. A specific framework would ensure security efficiency at the employee level.”
Dr Vilius Benetis, chief executive officer (CEO) of NRD CS, a Lithuania-based cyber security technology consulting, incident-response and applied research company, told The Independent that the only way for the financial sector to be efficient and reliable is to be highly automated.
NRD CS is currently working as the consultant for the Bangladesh Computer Council (BCC) for the implementation of the first National CSIRT of Bangladesh.
Dr Benetis said the greatest risk for financial institutions and their clients is the lack of knowledge of new threats, the use of methodologies, technologies, and cyber-hygiene.
He said the cyber security costs must be proportionate to the value of the protected assets. As more assets move to the digital world, more investment is required.
He said that due to the availability of many security tools (both commercial and open sources), cyber-hygiene is not all that expensive now.
“What costs the most are the setting up of appropriate processes and the training required to build human skills.”
About the necessity of a financial-sector CSIRT, he said the organisations in the sector should start by building their own CSIRT, adjust processes, cooperate in an organized way with the sector CSIRT, and then the national CSIRT, to effectively secure their assets and clients.