New Cybersecurity Guidelines in Bangladesh: What's Needed?Experts Offer Insights on Critical Steps for Financial Institutions
As the central bank of Bangladesh prepares to release revised IT security guidelines for financial institutions, CISOs and cybersecurity experts are hoping it takes into account the very latest cyberthreats and technology developments.
The current IT security guidelines, which came out in 2015, failed to take into account new technology practices that are being embraced by different industries, some security experts say. For instance, many financial institutions in Bangladesh are building their software in-house, but the guidelines do not offer insights on security practices for these applications, they say.
"New guidelines should advocate the adoption of secure software development best practices, such as secure coding and code review when using agile development methods and DevSecOps practices," says Shahee Mirza, head of security operations, at Beetles Cybersecurity, a security company based in Bangladesh.
Some security experts hope the new guidelines emphasize the need for better governance and mitigation of IT security risks. And the voluntary guidelines could eventually be converted to regulations with a mandate for compliance, according to some observers.
"Our priority will be protecting IT assets to give customer confidence. We hope the guideline will be realistic and appropriate control will be in place," says Abul Kalam Azad, head, IT security and compliance at Eastern Bank.
A challenge facing Bangladesh is that many companies still consider cybersecurity a cost, according to some security practitioners.
"The truth is talks around cybersecurity have only just begun in our country post the Bangladesh bank heist," says Prabeer Sarkar, CEO and founder at Bangladesh endpoint security firm Dhaka Distributions. In fact, the CISO positions in banks came only after that cyberattack."
In 2016, attackers stole $81 million from Bangladesh Bank by hacking into the bank's SWIFT software to transfer money.
Mirza adds: "There is a huge lack of adequate resources in the market today. The entire IT industry in Bangladesh is fairly new, and over the past 15 years, we have been focused more on development and on growth."
When it comes to cybersecurity awareness among CISOs and others in the nation, the "understanding, acceptance and maturity still have a long way to go," he says.
A CISO of a large public sector bank in Bangladesh tells Information Security Media Group that many security professionals take a checklist approach to complying with the current guidelines.
"After the Bangladesh bank heist, financial institutions are required to appoint a CISO. However, since there are not many qualified CISOs in the country, banks are promoting people with a technology background to that position," the bank CISO says. "Moreover, once a CISO is appointed, most banks do not spend resources in training the person for security."
Guidelines in Development
Bangladesh Bank, the central bank of the country, has formed an information and communication technology steering committee that's working on the new security guidelines.
The central bank has been asking banks and financial institutions to conduct at least one VAPT (Vunerability Assessment and Penetration Testing) process annually as well as obtain certification for PCI DSS compliance, Mirza says.
But Mirza argues that red team exercises are more valuable than VAPT tests. "The new security guidelines must address this issue," he adds.
Many security practitioners say the new guidelines should promote a holistic approach to security.
"The new guidelines must force organizations to take steps to mitigate their nontechnical risks," Mirza says. "They need to implement and enforce new guidelines relating to data privacy, something that is rarely acknowledged here."
The revised guidelines also should articulate that boards of directors and senior management teams should include those with an understanding of technology risks, he says. "The board of directors and senior management sometimes appear as a roadblock to banks' cybersecurity enhancements due to lack of knowledge of current cybersecurity practices or modern threats," he says.
Given the growth in internet of things device use, the government should develop relevant security guidelines, he adds. "Modern threat actors are attacking IoT because those devices are overlooked by security monitoring or assessments. So, a new revision in guidelines should have a proper security guideline about these network-connected IoT devices."
The Priority Areas
Tapan Kanti Sarkar, founder and president of the CTO Forum in Bangladesh, says many organizations in the country still don't know how to improve their cybersecurity posture. He calls for organizations to:
- Integrate security platforms: There is an overriding need to consolidate and integrate security technologies to gain full threat visibility across all platforms with the goal to gain true visibility into cloud, mobile and on-premises assets.
- Ensure continuous training: Many organizations continue to rely on manual processes and are faced with a skills shortage. Continuous training and skills development for existing teams is essential, with an aim to create basic cyber hygiene and nurture a culture of security.
- Create awareness: Security teams must create awareness of cyberthreats, how they can be detected and mitigated and how to respond.