Bangladesh Bank digital heist and lessons learned

Lutfus Sayeed
Published : 2 April 2016, 04:19 PM
Updated : 2 April 2016, 04:19 PM

What are the lessons learned by the management, IT department, and the rest of the banking industry as a result of the recent digital heist at Bangladesh Bank? In addition to the huge financial loss, Bangladesh Bank's professional credibility as a reliable business partner has been tarnished in the global banking network, where security is a hallmark of professional threshold. The banking sector as a whole must imbibe some lessons from this unfortunate incident.

First and foremost, the debacle should not deter the banking sector from playing its role in global connectivity. The development of digital commercial activities in Bangladesh should continue. That said, steps must be taken to address the weaknesses in Bangladesh Bank's digital infrastructure.

In the aftermath of the recent $81 million digital heist, Bangladesh Bank has decided to appoint a permanent security expert on an annual basis. Although the decision is a step in the right direction, a much larger overhaul in the bank's management approach to information and network security is warranted in order to prevent future digital intrusions. The recent heist succeeded because of lapses in IT security governance in the bank. The technological failure to prevent the attack is a symptom of the lack of the bank's managerial practices to operate in a business environment where the financial services industry is seamlessly integrated with information technology.

As an academic engaged in the field of Information Systems, I have been following the global news coverage on the recent heist. I came across a report, one of many on the subject, on March 19 while waiting for my connecting flight in the transit lounge of Frankfurt airport en route to the Università degli Studi dell'Insubria near Milan to teach a graduate seminar on Information Systems. The report on the heist was the cover story on FT Weekend. The attempted amount of $1 billion is one reason why the heist has received such worldwide attention. At the same time, the actual amount netted by the perpetrators is also significant.

The reason the FT Weekend coverage drew my attention was the report on the early signs of the breach mentioned in the FIR submitted by the police. According to the FIR, it is the detection of a faulty printer that was the initial sign of the incursion. However, it took more than two days after the initial complaint about the printing problem that the IT department at Bangladesh Bank started suspecting that a breach had taken place. Two days is a lifetime in digital attacks where every microsecond can execute millions of transactions in an increasingly networked world.

The incursion apparently took place by the hackers through the installation of malicious spy software in the bank's network sometime in late 2015. The presence of the malicious code remained undetected by the network monitoring system for months! This is a sign of human negligence and even possible sabotage. Network monitoring tools such as Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) are used by network professionals to detect such irregularities. The malicious code eluded network monitoring tools because of human error or incompetence.

Since the early reports of the heist, I have been baffled by the lack of useful reports about relevant technical glitches. The head of IT at Bangladesh Bank, to my knowledge, has not made any statement regarding the heist. Based on the Bangladesh Bank website, two IT related departments exist in Bangladesh Bank – IT Operations and Communications Department, and Information Systems Development Department. Neither department lists any director level executive personnel indicating that the bank's IT departments do not have a seat at the table with top level decision makers in the organization.

Actually, research on such electronic security breaches indicates that a lack of fit between an organization's business strategy and its IT strategy is the major reason for perpetrators' success. It is the faulty and reluctant decision making by the executives about the role of IT in the company which creates the opportunity for hackers. Bangladesh Bank and other banks in the country want to participate in the global banking network, to be connected with financial services resources in the rest of the world. However, connectivity with the global network brings benefits as well as risks, such as network attacks by hackers. IT strategy of banking institutions in our country, including Bangladesh Bank's, must be formulated to handle the risks and the benefits of global connectivity.

The following are three lessons that need to be learned from the Bangladesh Bank security breach.

First, banking executives in Bangladesh must recognize that there is no daylight between financial services and IT anymore. Firms in the banking sector in developed countries aim to specialize in IT to be as sophisticated as IT companies themselves. Banking customers in countries with advanced banking sectors hardly set foot in a bank branch because of available services like mobile banking, internet bill payment and electronic funds transfer. With a push for digital initiatives, Bangladesh is moving in the same direction. To manage this transition, decision makers in banks must participate in IT related decisions. At the same time, IT must have a seat at the executive decision makers' table. IT must not be viewed as a specialized function that is detached from the core business processes of the bank. In summary, banking is now an IT business.

Second, Bangladesh Bank and other banks in the country have to develop or refine their IT governance. Governance refers to a framework of decision making rights. Some IT decisions in banks have to be made by the management team without the IT department while some decisions have to be made collaboratively and some exclusively by IT. This framework of decision rights must be developed as a formal document. Appointment of a Chief Information Security Officer (CISO) who will interact with the upper echelon of the management and IT at the same time can be a part of this framework.

Third, banks have to develop or revisit their IT architecture. IT architecture refers to a blueprint of the hardware, software, network, human and data requirements of an organization. The design is a reflection of the firm's strategy in terms of IT requirements. The implementation of the architecture will become the IT infrastructure.

Banks in Bangladesh will definitely encounter future incursions much like the recent heist in Bangladesh Bank. However, with proper governance and technology architecture in place, banks in Bangladesh should be able to thwart such attacks and prosper in the global financial marketplace.

Lutfus Sayeed is a professor and researcher of Information Systems at California State University