cyber security handbook for ceos - mitkat … · telecommunication - insurance ... program cover...
TRANSCRIPT
CYBER
SECURITY
HANDBOOK
FOR CEOs
Copyright © (2016) Confederation of Indian Industry (CII). All rights reserved.
No part of this publication may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise), in part or full in any manner whatsoever, or translated into any language, without the prior written permission of the copyright owner. CII has made every effort to ensure the accuracy of the information and material presented in this document. Nonetheless, all information, estimates and opinions contained in this publication are subject to change without notice, and do not constitute professional advice in any manner. Neither CII nor any of its office bearers or analysts or employees accept or assume any responsibility or liability in respect of the information provided herein. However, any discrepancy, error, etc. found in this publication may please be brought to the notice of CII for appropriate correction.
Published by Confederation of Indian Industry (CII), The MantoshSondhi Centre; 23, Institutional Area, Lodi Road, New Delhi 110003, India, Tel: +91-11-24629994-7, Fax: +91-11-24626149; Email: [email protected]; Web: www.cii.in
Disclaimer
Source: 2014 NYSE Governance Services & Ernst & Young Source: Cisco 2015 Annual Security Report
Source: 2014 NYSE Governance Services & Ernst & Young
Source: idgenterprise.com
Source: 2015 CIO Survey, CIO Magazine 2015
RAISe CYBERSECURITY
Bar TO COPE WITH
RISKS
CYBERSECURITy IS
An EMERGING
BOARDROOM CONCERN
Source: 2014 NYSE Governance Services & Ernst & Young
Only 21% of directors agree their
company has CyberSecurity risk well under control
REQUISITION
EXTERNAL HELP
More than 50% of CEOs favour
external collaboration, but less than
33% show inclination
FOCUS LEADERSHIP
ATTENTION ON
CYBERSECURITY
The time spent by the leadership on Cybersecurity issues has increased
to 31% from 24% an year earlier
One of the top 4 priorities for CIOs
in the coming year includes ‘security upgrade'
UPGRADE SKILLS &
RETAIN TALENT
83% of enterprises currently lack
the right skills and human resources to protect their IT assets
ALIGN LEADERSHIp TO
OPERATIONAL
REALITIES
59% of CISOs view their security as
optimized, compared to 46% of
security operations managers
CyberSecurity Agenda
Cyber Security Handbook for CEOs 1
37
80
15
PanamaPapers
Ashley Madison
Office ofPersonnel
Management (US)
Experian Plc
Anthem 25
#No. of Million Records Stolen
37China
08Brazil
03Mexico
38USA
04India
13Europe
400
Global
MAJOR GLOBAL SECURITY BREACHES
GLOBAL PRICE TAG OF CONSUMER CYBERCRIME (IN BILLION US$)
CybeRSecurity LANDSCAPE
Source: Lloyd’s Insurance estimate and Symantec Security Report
Cyber Security Handbook for CEOs 2
PILLARS OF CYBERSECURITY
People technologyprocess
Executive Management
CISO/CIO
ISMS Professionals
Internal Auditors
Employees
IDS & IPS
Access & IDM
SIEM & Endpoint
DLP & DRM
Web App Firewall
Risk Management
Incident Management
IS Asset Management
Business Continuity
Compliance
IDS & IPS - Intrusion Detection & Prevention System | SIEM - Security Information & Event Management | DRM - Digital Right Management
IDM - Identity Management | WAF - Web Application Firewall
DLP - Data Leakage Prevention
A CEO should give equal importance to all three pillars of cybersecurity. An unbiased focus on all three pillars is key to the success of a cybersecurity program
building capabilities
3Cyber Security Handbook for CEOs
KEY FOCUS AREAS
CUSTOMERS REGULATORs &
AUDITORS
INTERNAL
DEPARTMENTS
SERVICE
PROVIDERs
INFORMATION stakeholders
Sensitive Personal Data or Information (SPDI) is shared by
customers to avail a product or a service
Information gathered is
converted into sensitive data,
helping companies to meet their
business objectives
Companies avail specialized
services, often sharing sensitive data with third
parties and thereby relying on their data protection
measures
Regulations require companies to
regularly share their sensitive
information with regulators and
auditors
CEOs cannot afford to over-protect or under-protect any one of the information stakeholders. Ensuring a balanced approach to mitigate risks and plug information leakages associated with each information stakeholder is a must
§Take effective measures to protect Personally Identifiable Information (PII)§ Implement enterprise-wide ISMS for securing information processing environment§Effectively communicate cybersecurity arrangements & actions to all key stakeholders§Protect information shared with external parties through stringent NDAs§Adopt a robust review mechanism to identity and fix all potential leakage points§ Institute CEO's cybersecurity dashboard
PROTECT ENTIRE INFORMATION CHAIN
4Cyber Security Handbook for CEOs
EXCERPTS FROM THE REGULATIONS
The responsibility of protecting the image and values of the organization ultimately lies with the CEO. While donning the role of the conscience-keeper, it is paramount to ensure compliance with various regulations
MoLJ
DOT
IRDA
SEBI
RBI
DeitY
- Ministry of Law & Justice
- Department of Telecommunication
- Insurance Regulatory and Development Authority
- Securities and Exchange Board of India
- Reserve Bank of India
- The Department of Electronics and Information Technology
MoLJ
DOT
IRDA
SEBI
RBI
DeitY
RegulatorsSetting the
Direction for Cybersecurity
§The Senior Leadership should assume the overall responsibility of cybersecurity§Dedicated resources in the form of time, personnel & budgets should be allocated§ Identify cyber risks which could prevent achievement of business objectives §Adopt adequate defenses to safeguard from internal as well as external threats§ Implemented controls to be tested periodically by independent entities §Critical vulnerabilities & incidents should be reported to appropriate authorities§Associate with special interests groups to stay abreast with cybersecurity intelligence§Cybersecurity awareness should be imparted throughout the organization §Develop a governance model to monitor and measure the efficacy of the cybersecurity
program
Regulatory expectations
5Cyber Security Handbook for CEOs
30
20
40
50
60
10More online extortion using ransomware
2016 will be the year of online extortion with hackers re-doubling their efforts with continued use and evolution of ransomware
Internet of Things (IoT) attacks
Worms and viruses will be designed to specifically attack IoT devices. The potential for harm could propagate millions of interactive devices
More hacktivist activity with strategic campaigns
So called "hacktivists" will increasingly delight in hijacking the Facebook, Twitter and Instagram accounts of leaders and attempt to spread misinformation
Stealth techniques to hide evidence of threat attacks
“Ghostware” is the Snapchat of malware. The malware enters into a system, completes its mission (stealing data), then disappears without leaving a trace
Health record data breaches perpetrated by insiders
An attack from the inside can allow unrestricted access to personal medical records via employee authorization making it far easier for an insider to go unnoticed
Spear phishing
Phishing attacks are growing, as official-looking messages and websites, that apparently come from trusted sources, are employed to gain access to your systems
Top SIX security threats for 2016
6Cyber Security Handbook for CEOs
The CEO should ask
him(her)self
The CEO should ask
his CIO / CISO
Œ Does our organisation have a cybersecurity policy & strategy? Is it aligned with the business strategy?
� Am I keeping the board informed on cybersecurity issues?
Ž Are our security roles and responsibilities clearly defined and communicated? Have adequate resources been allocated?
� Is our CIO / CISO sufficiently empowered?
� Have we inventorized and categorized our assets? Do we know what are our critical assets? Have we done our BIA and RA? Have we identified the red flags?
‘ Do we have an effective incident management / emergency response plan? Do we have a BCP-DR plan?
’ Are we compliant with the regulatory requirements?
“ When did we last have an external audit? Have all the audit findings been addressed?
” Is training and awareness an ongoing activity? Does our training program cover every information user?
• Is my cybersecurity dashboard comprehensive?
Œ What are the key security issues for the organization?
� Do you interact with the business? Are our security measures aligned to the business risks?
Ž What cybersecurity projects have we undertaken? Is our security budget aligned to industry norms?
� Does our Security Operations team have adequate skills and expertise? Do we regularly train them on upcoming preventive technologies?
� What support do you need from me to be successful?
‘ Are we adequately protected? Is our customer and company data secure?
’ How do we ensure that our defenses remain relevant and effective? Do we conduct independent testing?
“ How do we tackle the insider threats?
” Assuming that we are already compromised, how can we contain the impact of the attack?
• How are we managing our regulatory compliance and contractual obligations?
Expectations
7Cyber Security Handbook for CEOs
ABOUT MitKat
8
MitKat Advisory is a global provider of integrated security and risk mitigation solutions and services. MitKat works collaboratively with leading global corporations, government and non-government organizations to protect people, assets, information and reputation. MitKat's team consists of best-in-class consultants from diverse backgrounds. For details, kindly visit
MitKat has offices in Delhi NCR, Mumbai, Bengaluru and Singapore, and through its network of partners, delivers operational support and risk management services across Asia and Africa. MitKat's services include:§ Information security and business continuity advisory§Managed security services§ IT security consulting and implementation assistance§Physical security and safety consulting & design§Threat Intelligence and travel risk management§Business Intelligence, due diligence and integrity risk management§Operational support and embedded security services §Women's safety and empowerment §Skills & entrepreneurship development and CSR advisory
is technology and vendor-agnostic and is able to offer impartial and unbiased advice to its clients to design and solutions to suit their specific business and operational needs.
is an equal opportunities employer and committed to highest standards of .
www.mitkatadvisory.com
MitKat'fit-for-purpose' 'best value'
MitKatintegrity, ethics, governance and compliance
MitKat Advisory Services Private Limited
TT (Gurgaon): T (Bengaluru)
E W
511 Ascot Center, Near Hilton Hotel, Andheri (E), Mumbai – 400 099
: +91 22 2839 1243 +91 124 455 9200 | : +91 80 255 03300
: | : [email protected] www.mitkatadvisory.com
Cyber Security Handbook for CEOs
ABOUT CII
9
The Confederation of Indian Industry (CII) works to create and sustain an environment conducive to the development of India, partnering industry, Government, and civil society, through advisory and consultative processes.
CII is a non-government, not-for-profit, industry-led and industry-managed organization, playing a proactive role in India's development process. Founded in 1895, India's premier business association has over 8000 members, from the private as well as public sectors, including SMEs and MNCs, and an indirect membership of over 200,000 enterprises from around 240 national and regional sectoral industry bodies.
CII charts change by working closely with Government on policy issues, interfacing with thought leaders, and enhancing efficiency, competitiveness and business opportunities for industry through a range of specialized services and strategic global linkages. It also provides a platform for consensus-building and networking on key issues.
Extending its agenda beyond business, CII assists industry to identify and execute corporate citizenship programmes. Partnerships with civil society organizations carry forward corporate initiatives for integrated and inclusive development across diverse domains including affirmative action, healthcare, education, livelihood, diversity management, skill development, empowerment of women, and water, to name a few.
The CII theme for 2016-17, , emphasizes Industry's role in partnering Government to accelerate competitiveness across sectors, with sustained global competitiveness as the goal. The focus is on six key enablers: Human Development; Corporate Integrity and Good Citizenship; Ease of Doing Business; Innovation and Technical Capability; Sustainability; and Integration with the World.
With 66 offices, including 9 Centres of Excellence, in India, and 9 overseas offices in Australia, Bahrain, China, Egypt, France, Germany, Singapore, UK, and USA, as well as institutional partnerships with 320 counterpart organizations in 106 countries, CII serves as a reference point for Indian industry and the international business community.
Building National Competitiveness
Confederation of Indian Industry
T FE W
The Mantosh Sondhi Centre 23, Institutional Area, Lodi Road, New Delhi - 110 003 (India)
: 91 11 45771000 / 24629994-7 * : 91 11 24626149: * : [email protected] www.cii.in
Cyber Security Handbook for CEOs