Cybercrime is as predominant a problem as ever. The statistics presented in the 2023 Official Cybercrime Report by Cybersecurity Ventures indicate that the global annual cost of cybercrime is predicted to reach USD 9.5 trillion in 2024. A PwC study states cyber is the No. 1 mode of business risk globally, with 40% of all respondents listing more frequent and/or broader cyberattacks as a serious risk (and another 38% calling it a moderate risk). Even though it might seem like this massive expansion is driven by the increased dependence of organizations on digital platforms, one of the most vulnerable points in any organization is still humans.
The economy of Bangladesh faces significant cybersecurity risks due to a lack of investment in technology and a demand for a more skilled workforce. The average person expects government institutions and banks to utilise the most sophisticated technology to ward off cybersecurity threats. But from a grounded perspective, most organizations in Bangladesh lack the resources and strategies to counter cybersecurity threats, leaving them vulnerable to hacking attempts, phishing attacks, and exposure of sensitive data. The recent data leak from the Office of the Registrar General, Birth & Death Registration (BDRIS), where sensitive information became accessible through a simple Google search, epitomizes the extent of the problem.
This threat is a lot more prevalent and pervasive for smaller organisations and individuals, considering the dearth of resources they have access to compared to government organisations. In 2023, the official website of the Investment Corporation of Bangladesh, which holds details of around 10,000 investors and investment applicants, was among those compromised. The implications of frequent data breaches and leaks due to cyberattacks are quite dire for investors, entrepreneurs, business owners and the workers employed at organizations, big and small. But the consequences are especially distressing for micro, Small and Medium Enterprises (MSMEs).
A recent Cybercrime study by Accenture reveals that nearly 43 per cent of cyber-attacks on small businesses, and 46 per cent of those assaults target companies with 1,000 or fewer workers. Only 14 per cent of these MSMEs are prepared to face such an attack. On average, MSMEs spend between $826 and $653,587 on cybersecurity incidents. Over 700,000 attacks on small businesses occurred in 2020, resulting in damages exceeding $2.8 billion. 95 per cent of cybersecurity breaches are attributed to human error, according to a World Economic Forum report.
According to a research by Inspira ACL in a similar vein contextualised for Bangladesh, more than 92 per cent of micro, small and medium enterprises (MSMEs) are unaware of cybersecurity despite around 40 per cent of them having directly or indirectly been victims of cyberattacks. This speaks to the awareness gap in the country's businesses and critical parts of its infrastructure as well. The level of preparedness in the general workforce of this industry is a matter of major concern.
There are around 7.5 million MSMEs in Bangladesh, which contribute to approximately 25 per cent of the national GDP. Most of these organisations depend on cheap, unskilled labour. The insufficient grasp of cybersecurity knowledge the employees at these MSMEs have can lead to dire repercussions for businesses, including financial losses, negative brand image, and operational disruptions. According to a report by Kaspersky Lab, in 2021, Bangladesh ranked third in the list of countries most at risk of malware attacks through smartphones. About 26 out of every 100 smartphone users in Bangladesh are at risk of malware attacks, an alarming implication of the average person being a gateway for cyber threats to their workplace.
For Bangladeshi MSMEs, the most persistent concern is the lack of cybersecurity awareness and digital hygiene. In a recent security audit report by Astra Security, 31 per cent of respondents cited this as a serious issue threatening their organizations. The aforementioned report also found that companies with fewer than 100 employees were the target of more than 55 per cent of all ransomware attacks against organisations. This is especially troublesome for Bangladesh because the majority of MSME businesses and employees come from remote and rural areas, have little formal education, and are still developing their understanding of the digital landscape. Because of this lack of familiarity and formal understanding, they frequently fall prey to cyberattacks, which often cause large financial losses for their company.
According to an Inspira ACL survey from 2022, just 7.70 per cent of participants could correctly identify cyber threats such as malware, ransomware, and phishing messages when asked. These findings indicate that there is a crucial need for greater education and awareness about cybersecurity among MSMEs in Bangladesh. Evidently, the human element in MSME cybersecurity requires major upgrades in terms of proper digital hygiene and fraud detection. This includes informing employees about the importance of regular security updates and credential management (Passwords, PINS, Two-factor Authentication, backups), to allow them to be wary of and ward off phishing attempts, identity theft, and malware attacks.
Safeguarding businesses and customers under this threat is best approached through a collaborative effort. Organizations must integrate better technology to defend against cyberattacks. But this integration can only work effectively once the workforce at these organizations is familiar with and comfortable using said technology. The upscaling of technological security measures must work in tandem with a human workforce that is sufficiently prepared to utilize the technology without exposure to greater risk.
Forbes reported that 91-94 per cent of malware was delivered via email in 2022 and 2023, indicating that individual employees are key gateway points for cybercriminals to attack businesses. It is crucial to provide workers with the information and abilities to practice general cyber-hygiene, identify phishing efforts, store passwords securely, comprehend malware and possible data breaches, and build incident reporting and response capabilities. Using a variety of communication channels, including websites, email reminders, social media campaigns, instructional pamphlets, and organizational training, should be part of the process.
In the MSME ecosystem, partner education is just as important as that of staff and customers. Vendors and suppliers should be knowledgeable about important topics such as incident reporting procedures, managing access to company documents, and the organization's data security. Defined guidelines for company information, multi-factor authentication, encrypting sensitive data, and routine security audits are crucial steps that e-commerce companies should take in addition to cybersecurity training.
The Bangladesh Government has recently taken several steps to prioritize cybersecurity awareness. The Bangabandhu International Cybersecurity Awareness Award of 2023 made this priority clear. Local cybersecurity startup Byte Capsule won the award for the "Entrepreneurs in Cybersecurity" category. The platform offers courses and training on cybersecurity fundamentals and ethical hacking. These programs have great utility for educating the workforce in cybersecurity, and the success of the organization serves as an acknowledgment of this utility. Currently, there are a multitude of cybersecurity training programs, courses and workshops regularly on offer. Institutions like the Institute of Chartered Accountants of Bangladesh (ICAB) are offering professional certifications in cybersecurity. This along with the drafted Cyber Security Act 2023 ascertains that both the Government and organizations in Bangladesh are mindful of and are consciously working on developing the cybersecurity infrastructure for Bangladesh and its people.
There is a lot of room to improve because the most dangerous aspect of cyber threats is that they are persistently evolving and adapting. As such, raising awareness and developing cyber hygiene practices in the workforce needs to be an ongoing process in perpetuity. For security efforts to be effective, regular assessment, monitoring and subsequent improvement are essential to improve the human element in security against cybercrime.
Syed Shadman Wahid and Zihan Hossain are Senior Associates at the Inspira Advisory & Consulting Limited
(This article is part of an effort to bring further awareness regarding cybersecurity and policy gaps relating to cybersecurity in Bangladesh to the general public, stakeholders, and policymakers and is supported by DAI Global LLC and USAID under the Digital Connectivity and Cybersecurity Partnership (DCCP) Programme.)