Cyber Attacks on the Banking Sector on the example of the National Bank of Pakistan. What can Banks do?

From finance to digital asset management, technology plays an undeniable role in disrupting conventional patterns and revolutionizing them by proffering new solutions. Consequently, technology continues to change every aspect of the world, and our day-to-day activities are becoming more digitalized than ever in the history of humanity.

One of such areas of our daily activities that have been revolutionized by technology is a personal finance, especially regarding saving money. The traditional model of saving money in cabinets has been scrapped for more digitalized methods, even as CNBC estimates that at least 84% of adult Americans own bank accounts where they choose to save money.

However, technology is not without its cons, given that peculiar risks associated with technology deployment, such as cyber-attacks, have gradually become a norm across public and private sectors. More importantly, cyber-attacks were rated the fifth top risk in 2020, even as the World Economic Forum affirms that the risk of detection of cyber-attacks is now as low as 0.05% in the U.S. The less the risk of detection, the more susceptible banks and private and public institutions are to cyber-attacks. This seeming paradox thus begs the question – what are cyber-attacks?

What are Cyber-attacks?

TechTarget defines cyber-attacks are offensive, unwelcome attempts or actions that target computer systems and networks intending to gain unauthorized access that facilitates theft, illegal duplication, and destruction of information or data. A cyber-attack could be as mild as hacking into a computer and installing spyware or as aggressive as attempting to destroy the entire nation’s infrastructure hosted on interconnected networks. There are different cyber-attacks, but the most common ones include malware, phishing, denial-of-Service (DDoS) attack, DNS Tunneling, and Zero-day exploit.

The first recorded cyber-attack occurred in 1834 when a pair of thieves hacked the French telegraph system and illegally duplicated financial information. Our 21st-century world grapples with data privacy concerns and witnesses an average of more than 2,200 cyber-attacks, with about 71.1 million victims of cyber-attacks yearly. Similarly, Accenture affirms that an estimated 43% of small businesses also experience cyber-attacks. Cyber-attacks trajectory has established its financial weapon of war which can be deployed to rob individuals and companies of money.

Cyber-attacks on banking sectors

Investopedia records the earliest cyber-attack to have occurred in 1999 when India and Pakistan engaged in a long-term dispute over the disputed territory of Kashmir. Historical accounts reveal that each country’s hackers had been repeatedly involved in attacking each other’s computer space. Subsequently, the number of cyber-attacks has grown yearly, with about 200 recorded cyber-attacks targeted against financial institutions in 2007. Similarly, recent statistics published by the World Bank show online banking accounts for nearly 75% of all bank transactions, which is increasing, meaning people are leaving cash and cheques and moving to electronic banking. Several banks have experienced cyber-attacks, and some evergreen incidents are the 2014 JP Morgan data breach, the 2016 Swift bank attack, and most importantly, the 2021 National bank of Pakistan.

Cyber Attacks in the context of the National Bank of Pakistan

One of the most alarming cyber-attacks was targeted against the National Bank of Pakistan between Friday 29th and Saturday 30th October 2021. The Cyber-attack impacted the bank’s backend systems and affected servers that interlinked the bank’s branches and the backend infrastructure that controlled the bank’s ATM network and mobile banking application. Express Tribune records that immediate steps were taken to isolate the affected systems, which, at that point, could not jeopardize the financial data of other customers.

However, it is essential to note that the National Bank of Pakistan could not restore all affected services for at least two days to the detriment of customers and companies, leading to several pending transactions that temporarily stifled the economy. This means it is pretty challenging to determine the scale of the attack from the information given to the public. However, given that the National Bank of Pakistan is one of the most important banks in Pakistan, it is apt to say that the entire national economy could collapse if the National Bank of Pakistan crashed due to a cyber-attack. This case study shows how severe cyber-attacks in the banking sector can be and how dangerous they are regarding the security of customers’ money and the nation’s economy.

What can Banks do?

Banks must take several necessary steps to protect themselves against cyber-attacks. Generally, a bank website and mobile app are publicly available, making them highly susceptible to cyber-attacks. Therefore, it is recommended that banks ensure strong cyber security on their systems. Cyber security in this context can also be called Information technology Security or Electronic information security, which involves defending computers, servers, mobile devices, electronic systems, networks, and data from cyber-attacks.

There are three primary security measures for the banking sector against cyber-attacks.

  • Individual security of users

This is the personal security of individual members accessing their accounts. It is important to note that banks have very little control over people’s behavior as they can choose to show a calm attitude or negligence over their accounts. Still, as an institution, it is expedient to impose compulsory and stringent security requirements for users to access their accounts on the bank’s web portal. This includes strong passwords, preferably with different character variables, and implementing multi-factor authentication to mitigate single-point security failures and add an extra layer of protection for user accounts.

  • Technical security

This could pass for the security of tools built to access the bank accounts. The tools built into the bank web portal and applications must have high-security measures. Malware is one of the most consistent cyber-attacks on banks, but a security measure has been provided against it: Malware security protection for computers or networks. It does the following;

  • It checks any newly downloaded program to verify if it is Malware free.
  • It confirms emails with passwords and links to be malware-free.
  • It scans the computer to detect and defeat any malware.

Another security measure that Banks can adopt is monitoring, logging, and blocking technologies. This will help users ensure they aren’t experiencing cyber-attacks. If there is an attack, it will help by providing an auditable trail that can be used by the security team to access the situation and isolate the cause so the attack could be detected and investigated and a solution could be provided. The security should be handled by a professionally-managed security source provider such as Attitude.

The advantage of using a professionally managed security is a 24-hour monitoring and incident response which will detect and assist in dealing with any security/network alert breach and responding in time before any critical damage is done by isolating and mitigating the threat.

  • Inside/internal team and data security

Assets are personal properties of users of the banks and should be handled with great care. There should be a clear plan for adequately handling and securing assets within the bank so that it is guaranteed against risk and the staff understands the process that should be followed.

It is of utmost necessity to secure the internal team and protect the data by ensuring the security of each endpoint allowed into the centralized protected Network. Each device across the entire surface that leads to the central Network must be secured, usually with a VPN solution.

Data should be encrypted as it is one of the most critical assets for any organization and can turn into a high-value target for cybercriminals. It should be encrypted with an advanced algorithm such as Advanced Encryption Standard (AES) so that even in the event of a critical security breach or attack, data will be inaccessible to cyber threats without the associated decryption keys.

Banks should also ensure the endpoint is protected to protect the networks remotely bridged to devices with specific endpoint protection software. They should likewise have a system that allows security and network teams to react to security incidents such as cyber-attacks quickly.

Financial institutions should build firewalls to block any brute force attacks on the system before it damages. Also, the employees should have personal accounts and separate logins to differentiate between the staff and users. This would reduce the probability of cyber-attacks that can occur from incorrect access once the staff system is automatically set not to have more permissions required to perform their role.

Another important security measure is that; there should also be regular security awareness training for the staff/employees to educate and remind them of approaches and techniques that cybercriminals adapt for their attacks. Most cyber-attacks occur because the staff are ignorant or have not been appropriately trained for security breach events. The employees/staff should be prepared to:

  • Verify the recipient or user before sending a piece of sensitive information.
  • Check links before clicking them
  • Verify email addresses from received emails.


We are all aware that prevention is better than cure, and as much as banks should try to control and curb cyber-attacks on their various systems, there should also be recovery plans put in place just in case of a cyber-attack.

Banks should have well-thought and implemented plans to help avoid data loss and minimize business downtime in an attack that disrupts service. At the barest minimum, banks should incorporate guidance for system redundancy to take business workload when the central system is down and data backup plans.

Marcin Kubacki

text written by:

Marcin Kubacki, CSA at Storware