Are our information systems secure enough?

The recent surge in cyberattacks globally, coupled with increasing digitalisation in Bangladesh, has magnified the vulnerabilities within our cyber ecosystem. Cyber threats are evolving at an alarming rate, becoming more sophisticated and harder to detect. 

We know of a central bank money heist. Reputed media operators also reported on an IT firewall break. Apart from that, many of our public undertakings have also reported repeated cyberattacks or hacking. 

In the same vein, phishing attacks, ransomware, and data breaches are becoming increasingly common, affecting both individuals and organisations. Organisations must adopt robust measures to protect their data and systems from unauthorised access, misuse, and potential breaches. 

An effective information security management system is the backbone of any organisation's information security strategy. It encompasses various activities to safeguard information assets, including software, hardware, services, data, staff, and intangible assets. 

Identifying and classifying assets is crucial. Assets are categorised based on their importance and the impact their loss or compromise would have on the organisation. This includes software, hardware, services, data, and personnel assets. Proper asset management ensures that all assets are protected according to their classification. Implementing strong access controls is essential to prevent unauthorised access to sensitive information. 

This includes role-based access, secure log-in procedures, password management systems, and session timeouts. Access to information should be granted based on the principle of least privilege, ensuring that individuals only have access to the information necessary for their role.

A robust incident management process is vital for identifying, reporting, and responding to security incidents. This includes having a dedicated team to handle incidents, conducting root cause analysis, and implementing corrective actions to prevent recurrence. 

Regular reporting and review of incidents help in the continuous improvement of the security posture. Secure coding practices and effective management of the application development lifecycle are critical to preventing vulnerabilities. Regular security testing, including vulnerability assessments and penetration testing, helps identify and mitigate potential threats.

Employees are the first line of defence in information security. Comprehensive training and awareness programs ensure that staff are knowledgeable about security policies and practices. Background checks, security training, and adherence to the code of conduct are essential components of human resource security. 

Regular audits and compliance checks are necessary to ensure that the Information Security Management System is effective and aligned with industry standards. 

For instance, ISO/IEC 27001:2013 provides a framework for managing information security. Internal and external audits help identify gaps and areas for improvement, ensuring that the organisation remains compliant with regulatory requirements.

Business continuity and disaster recovery plans are essential to ensure that operations can continue in the event of a disruption. This includes having redundant systems, regular testing of recovery procedures, and continuous monitoring to address emerging risks. An ISO 22301 certification, for example, demonstrates an organisation's commitment to maintaining business continuity.

 Bangladesh faces significant challenges in access to affordable information due to inadequate infrastructure and a lack of appropriate education. The absence of an integrated computer security system and education on cybersecurity compounds these issues. Cooperation, collaboration, and investment in cybersecurity are crucial to developing a culture of security and trust. 

Despite improvements, many organisations still use outdated security protocols, especially SMEs, which are highly vulnerable due to limited resources and awareness. The absence of a comprehensive national cybersecurity strategy exacerbates these vulnerabilities, leaving critical sectors like banking, healthcare, and telecommunications exposed to cyber threats.

Bangladesh has implemented several key policies to advance its ICT sector, including the 'National Information and Communication Technology (ICT) Policy 2018,' 'National Digital Commerce Policy 2018,' 'Cyber Security Act, 2023,' and the 'Electronic Transaction Act.'.  

These initiatives aim to develop a comprehensive ICT infrastructure across the country, ensuring that all citizens have access to information, which in turn fosters empowerment, good governance, and sustainable economic growth. The BTRC has issued various guidelines and directives to enhance cybersecurity in the telecommunications sector. 

This includes requirements for telecom operators to implement robust security measures and report cyber incidents. The Data Protection Act 2023 sets out guidelines and best practices for both organisations and the government on managing personal data. It governs how personal data is processed and ensures the protection of individuals' rights concerning their personal information.

While no system can be entirely impervious to threats, a comprehensive and proactive approach to information security can significantly mitigate risks and enhance the overall security posture of an organisation.  By adhering to established standards and continuously improving their security measures, organisations can ensure that their information systems remain secure in an ever-evolving threat landscape.

Mamun Rashid is the chairman of Financial Excellence Ltd and Founding Managing Partner of PwC Bangladesh.

Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the opinions and views of The Business Standard.