Financial Threat Assessment 2024: National Security is at Risk

Since its beginning, Bangladesh Cyber Security Intelligence (BCSI) has been a pillar of defense for the nation’s digital ecosystem. In an era where financial institutions and Critical Information Infrastructure (CII) form the backbone of economic and national stability, the increasing frequency and sophistication of cyber threats have highlighted a critical reality: Bangladesh’s national security is at risk.

The financial and CII sectors are especially vulnerable due to systemic weaknesses, corruption, and an overall lack of cybersecurity preparedness. Threat actors have increasingly targeted these sectors to exploit their inadequate defenses, stealing sensitive information and jeopardizing operational stability. Compounding this issue is the prevalence of unethical practices, such as IT teams accepting kickbacks from unqualified cybersecurity companies and tender processes being manipulated by firms with political or personal connections. These practices undermine the integrity of security operations and leave critical systems exposed to escalating risks.

Recognizing these challenges, BCSI has launched initiatives to strengthen the country’s cybersecurity framework. Among these, the National Vulnerability Disclosure Program (NVDP) stands out as a transformative step forward. This program provides a structured platform for vulnerability reporting and resolution, ensuring that the most skilled cybersecurity professionals in the country can contribute to securing financial and CII sectors.

Through NVDP, BCSI is not only addressing the technical and procedural gaps but also tackling the root causes of inefficiencies and corruption in cybersecurity practices. By fostering collaboration, innovation, and accountability, the program reinforces the nation’s digital defenses while reducing the risks posed to economic and national security. This initiative represents a critical step toward building a resilient and self-reliant cybersecurity infrastructure for Bangladesh.

Financial Sector

The financial sector in Bangladesh, particularly its banking institutions, has become a prime target for cyberattacks. This is largely due to systemic weaknesses and an overreliance on outdated practices. In-depth threat analysis conducted by NVDP, the Crowdsourced Emergency Response Team (CS-CERT), and the BCSI Threat Intelligence Team reveals that most banks in the country are at high risk of cyberattacks. Threat intelligence from dark web forums, hacking communities, and underground marketplaces has uncovered alarming trends that expose significant gaps in cybersecurity practices.

These vulnerabilities are compounded by poor incident response capabilities, lack of skilled personnel, and outdated procurement processes for cybersecurity services. Without urgent and coordinated intervention, the financial ecosystem remains dangerously exposed to potential breaches, ransomware attacks, and other cyber threats.

We have reached out to relevant authorities regarding these critical cybersecurity concerns but have yet to receive a response. While we have chosen not to name them in this report, we want to make it clear that if no action is taken, we will publish a detailed report outlining the issues and associated risks.

Out of 62 banks, 38 have completed their tests, while 24 are still in the testing phase. The following image will provide a summary of key issues affecting multiple banks, highlighting both institution-specific vulnerabilities and broader systemic challenges.

Figure 1: Summary of Key Issues in Multiple Banks’ Cybersecurity Practices.

Despite repeated warnings from BCSI about these systemic vulnerabilities, engagement with key stakeholders such as the Central Bank of Bangladesh has been largely ineffective. Efforts to collaborate and escalate these concerns to the appropriate authorities have often gone unanswered. This lack of oversight and coordination has created a significant gap in addressing the cybersecurity risks facing the financial sector. Stronger regulatory enforcement, combined with proactive collaboration, is urgently needed to protect critical financial infrastructure.

The National Vulnerability Disclosure Program (NVDP) was established by BCSI as a direct response to the systemic issues facing Bangladesh’s cybersecurity landscape. It aims to provide a sustainable, ethical, and talent-driven alternative to the traditional VAPT services offered by companies.

1. A Platform for National Talent:
   • Bangladesh has an abundance of skilled cybersecurity researchers. Unfortunately, due to the lack of opportunities and structured platforms, many of these talented individuals are compelled to work for foreign organizations. NVDP was created to harness this talent and provide them with a meaningful avenue to contribute to their country’s cybersecurity.
2. High-Quality and Transparent Services:
   • Unlike traditional services that rely on low-cost, minimally skilled workers, NVDP operates with a pool of top-tier cybersecurity talent. Key features of NVDP include:
     • Tailored Talent Teams: Teams are formed based on the unique needs of each organization, ensuring specialized expertise for every assignment.
     • Flexible Workforce Model: Instead of maintaining a permanent staff, NVDP assembles teams on a project basis, matching the best talent with the task at hand.
     • Excellence-Driven Approach: Ethical hackers and experienced professionals ensure that every vulnerability assessment is of the highest quality.
3. Addressing Systemic Challenges:
   • NVDP directly tackles the challenges of corruption, tender manipulation, and lack of skilled manpower by providing an ethical, transparent, and results-driven alternative.
4. Retaining Local Talent:
   • By creating opportunities for Bangladeshi researchers to showcase their expertise, NVDP aims to reverse the brain drain and foster a culture of innovation and collaboration.

Cause Analysis

1. Conflict of Interest and Corruption in IT Teams:
   • A concerning trend has been uncovered where members of IT teams in banks engage in unethical practices. In several cases, cybersecurity companies offering Vulnerability Assessment and Penetration Testing (VAPT) services were awarded contracts in exchange for kickbacks or percentages paid to these IT staff. This blatant conflict of interest undermines the integrity of cybersecurity measures and creates a dangerous environment where financial institutions are left vulnerable to attack.
2. Exploitation of Higher Authority References:
   • Many cybersecurity companies use personal or political connections with higher authorities to bypass fair and competitive procurement processes. This not only leads to substandard services being delivered but also sidelines more capable firms that lack such connections. This practice reinforces inefficiencies and prevents the sector from adopting innovative and effective solutions.
3. Tender Manipulation by Cybersecurity Firms:
   • Investigations have revealed that some cybersecurity companies own multiple proxy firms and use these entities to bid for the same tenders. This manipulation creates the illusion of competition while ensuring that the contract ultimately goes to one of their controlled firms. Such unethical practices not only erode trust in the tendering process but also result in the selection of companies that may lack the talent and expertise needed for effective penetration testing and security assessments.
4. Reliance on Low-Grade Certifications:
   • A significant portion of IT staff employed in banks hold certifications such as the Certified Ethical Hacker (CEH) and similar entry-level credentials, which have limited practical value in addressing advanced cybersecurity threats. This reliance on superficial qualifications without assessing real-world expertise further weakens the sector’s ability to prevent and mitigate cyber incidents.
5. Lack of Skilled Manpower:
   • Both the IT teams within banks and many local cybersecurity companies suffer from a severe shortage of skilled professionals. This talent gap leads to overreliance on automated tools and basic frameworks, which are inadequate for tackling sophisticated cyberattacks. Without substantial investment in talent development and training, these vulnerabilities will continue to grow.

6. Use of Unauthorized Tools:
   • Several banks have been found to use unauthorized or cracked versions of vulnerability scanning tools. These tools often produce unreliable results and introduce additional security risks, compounding the vulnerabilities they are supposed to identify and resolve.

7. Corruption and Unethical Practices:
   • Corruption remains a pervasive issue, with certain cybersecurity firms leveraging personal relationships and unethical practices to secure contracts. This compromises the quality of VAPT services, leaving banks with poorly executed security assessments that fail to address critical vulnerabilities.

The Financial Threat Assessment 2024 highlights the critical need to strengthen the cybersecurity posture of Bangladesh’s financial institutions and Critical Information Infrastructure (CII). Systemic vulnerabilities, unethical practices, and a lack of skilled manpower have exposed these essential sectors to a growing wave of sophisticated cyberattacks, putting national security and economic stability at significant risk.

While BCSI has assessed several organizations, many others remain untested. We are actively working to include the rest of these organizations to gain a comprehensive understanding of the security landscape across all financial and CII sectors. The real picture of vulnerabilities will only emerge once assessments of these remaining organizations are completed.

Additionally, a detailed CII Security Report will be published once all evaluations are finalized. This report will provide an in-depth analysis of vulnerabilities, specific challenges, and actionable recommendations for bolstering the security of critical systems.

BCSI reaffirms its commitment to collaborating with stakeholders and taking decisive steps to secure Bangladesh’s digital infrastructure. Together, we can mitigate threats and safeguard the nation’s future.

“Collaboration eliminates coincidence.” – BCSI