CYBER SECURITY HANDBOOK FOR CEOs

Transcription

1 CYBER SECURITY HANDBOOK FOR CEOs

2 Disclaimer Copyright (2016) Confederation of Indian Industry (CII). All rights reserved. No part of this publication may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise), in part or full in any manner whatsoever, or translated into any language, without the prior written permission of the copyright owner. CII has made every effort to ensure the accuracy of the information and material presented in this document. Nonetheless, all information, estimates and opinions contained in this publication are subject to change without notice, and do not constitute professional advice in any manner. Neither CII nor any of its office bearers or analysts or employees accept or assume any responsibility or liability in respect of the information provided herein. However, any discrepancy, error, etc. found in this publication may please be brought to the notice of CII for appropriate correction. Published by Confederation of Indian Industry (CII), The MantoshSondhi Centre; 23, Institutional Area, Lodi Road, New Delhi , India, Tel: , Fax: ; info@cii.in; Web:

3 CyberSecurity Agenda CYBERSECURITy IS An EMERGING BOARDROOM CONCERN Only 21% of directors agree their company has CyberSecurity risk well under control RAISe CYBERSECURITY Bar TO COPE WITH RISKS One of the top 4 priorities for CIOs in the coming year includes security upgrade' Source: 2014 NYSE Governance Services & Ernst & Young Source: idgenterprise.com REQUISITION EXTERNAL HELP More than 50% of CEOs favour external collaboration, but less than 33% show inclination FOCUS LEADERSHIP ATTENTION ON CYBERSECURITY The time spent by the leadership on Cybersecurity issues has increased to 31% from 24% an year earlier Source: 2014 NYSE Governance Services & Ernst & Young Source: 2015 CIO Survey, CIO Magazine 2015 UPGRADE SKILLS & RETAIN TALENT 83% of enterprises currently lack the right skills and human resources to protect their IT assets ALIGN LEADERSHIp TO OPERATIONAL REALITIES 59% of CISOs view their security as optimized, compared to 46% of security operations managers Source: 2014 NYSE Governance Services & Ernst & Young Source: Cisco 2015 Annual Security Report 1

4 CybeRSecurity LANDSCAPE MAJOR GLOBAL SECURITY BREACHES 37 Ashley Madison Panama Papers Anthem 25 Experian Plc Office of Personnel Management (US) # No. of Million Records Stolen GLOBAL PRICE TAG OF CONSUMER CYBERCRIME (IN BILLION US$) 38 USA 13 Europe 04 India 37 China 08 Brazil 03 Mexico Global 400 Source: Lloyd s Insurance estimate and Symantec Security Report 2

5 building capabilities A CEO should give equal importance to all three pillars of cybersecurity. An unbiased focus on all three pillars is key to the success of a cybersecurity program PILLARS OF CYBERSECURITY People process technology Executive Management CISO/CIO ISMS Professionals Internal Auditors Employees Risk Management Incident Management IS Asset Management Business Continuity Compliance IDS & IPS Access & IDM SIEM & Endpoint DLP & DRM Web App Firewall IDS & IPS - Intrusion Detection & Prevention System DLP - Data Leakage Prevention SIEM - Security Information & Event Management DRM - Digital Right Management IDM - Identity Management WAF - Web Application Firewall 3

6 PROTECT ENTIRE INFORMATION CHAIN CEOs cannot afford to over-protect or under-protect any one of the information stakeholders. Ensuring a balanced approach to mitigate risks and plug information leakages associated with each information stakeholder is a must CUSTOMERS INTERNAL DEPARTMENTS SERVICE PROVIDERs REGULATORs & AUDITORS INFORMATION stakeholders Sensitive Personal Data or Information (SPDI) is shared by customers to avail a product or a service Information gathered is converted into sensitive data, helping companies to meet their business objectives Companies avail specialized services, often sharing sensitive data with third parties and thereby relying on their data protection measures Regulations require companies to regularly share their sensitive information with regulators and auditors KEY FOCUS AREAS Take effective measures to protect Personally Identifiable Information (PII) Implement enterprise-wide ISMS for securing information processing environment Effectively communicate cybersecurity arrangements & actions to all key stakeholders Protect information shared with external parties through stringent NDAs Adopt a robust review mechanism to identity and fix all potential leakage points Institute CEO's cybersecurity dashboard 4

7 Regulatory expectations The responsibility of protecting the image and values of the organization ultimately lies with the CEO. While donning the role of the conscience-keeper, it is paramount to ensure compliance with various regulations DeitY RBI MoLJ Regulators Setting the Direction for Cybersecurity SEBI DOT IRDA MoLJ - Ministry of Law & Justice DOT - Department of Telecommunication IRDA - Insurance Regulatory and Development Authority SEBI - Securities and Exchange Board of India RBI - Reserve Bank of India DeitY - The Department of Electronics and Information Technology EXCERPTS FROM THE REGULATIONS The Senior Leadership should assume the overall responsibility of cybersecurity Dedicated resources in the form of time, personnel & budgets should be allocated Identify cyber risks which could prevent achievement of business objectives Adopt adequate defenses to safeguard from internal as well as external threats Implemented controls to be tested periodically by independent entities Critical vulnerabilities & incidents should be reported to appropriate authorities Associate with special interests groups to stay abreast with cybersecurity intelligence Cybersecurity awareness should be imparted throughout the organization Develop a governance model to monitor and measure the efficacy of the cybersecurity program 5

8 Top SIX security threats for 2016 More online extortion using ransomware 2016 will be the year of online extortion with hackers redoubling their efforts with continued use and evolution of ransomware Internet of Things (IoT) attacks Worms and viruses will be designed to specifically attack IoT devices. The potential for harm could propagate millions of interactive devices More hacktivist activity with strategic campaigns So called "hacktivists" will increasingly delight in hijacking the Facebook, Twitter and Instagram accounts of leaders and attempt to spread misinformation Stealth techniques to hide evidence of threat attacks Ghostware is the Snapchat of malware. The malware enters into a system, completes its mission (stealing data), then disappears without leaving a trace Health record data breaches perpetrated by insiders An attack from the inside can allow unrestricted access to personal medical records via employee authorization making it far easier for an insider to go unnoticed Spear phishing Phishing attacks are growing, as official-looking messages and websites, that apparently come from trusted sources, are employed to gain access to your systems

9 Expectations The CEO should ask him(her)self The CEO should ask his CIO / CISO Œ Does our organisation have a cybersecurity policy & strategy? Is it aligned with the business strategy? Am I keeping the board informed on cybersecurity issues? Ž Are our security roles and responsibilities clearly defined and communicated? Have adequate resources been allocated? Is our CIO / CISO sufficiently empowered? Have we inventorized and categorized our assets? Do we know what are our critical assets? Have we done our BIA and RA? Have we identified the red flags? Do we have an effective incident management / emergency response plan? Do we have a BCP-DR plan? Are we compliant with the regulatory requirements? When did we last have an external audit? Have all the audit findings been addressed? Is training and awareness an ongoing activity? Does our training program cover every information user? Is my cybersecurity dashboard comprehensive? Œ What are the key security issues for the organization? Do you interact with the business? Are our security measures aligned to the business risks? Ž What cybersecurity projects have we undertaken? Is our security budget aligned to industry norms? Does our Security Operations team have adequate skills and expertise? Do we regularly train them on upcoming preventive technologies? What support do you need from me to be successful? Are we adequately protected? Is our customer and company data secure? How do we ensure that our defenses remain relevant and effective? Do we conduct independent testing? How do we tackle the insider threats? Assuming that we are already compromised, how can we contain the impact of the attack? How are we managing our regulatory compliance and contractual obligations? 7

10 ABOUT MitKat MitKat Advisory is a global provider of integrated security and risk mitigation solutions and services. MitKat works collaboratively with leading global corporations, government and non-government organizations to protect people, assets, information and reputation. MitKat's team consists of best-in-class consultants from diverse backgrounds. For details, kindly visit MitKat has offices in Delhi NCR, Mumbai, Bengaluru and Singapore, and through its network of partners, delivers operational support and risk management services across Asia and Africa. MitKat's services include: Information security and business continuity advisory Managed security services IT security consulting and implementation assistance Physical security and safety consulting & design Threat Intelligence and travel risk management Business Intelligence, due diligence and integrity risk management Operational support and embedded security services Women's safety and empowerment Skills & entrepreneurship development and CSR advisory MitKat is technology and vendor-agnostic and is able to offer impartial and unbiased advice to its clients to design 'fit-for-purpose' and 'best value' solutions to suit their specific business and operational needs. MitKat is an equal opportunities employer and committed to highest standards of integrity, ethics, governance and compliance. MitKat Advisory Services Private Limited 511 Ascot Center, Near Hilton Hotel, Andheri (E), Mumbai T: T (Gurgaon): T (Bengaluru): E: contact@mitkatadvisory.com W: 8

11 ABOUT CII The Confederation of Indian Industry (CII) works to create and sustain an environment conducive to the development of India, partnering industry, Government, and civil society, through advisory and consultative processes. CII is a non-government, not-for-profit, industry-led and industry-managed organization, playing a proactive role in India's development process. Founded in 1895, India's premier business association has over 8000 members, from the private as well as public sectors, including SMEs and MNCs, and an indirect membership of over 200,000 enterprises from around 240 national and regional sectoral industry bodies. CII charts change by working closely with Government on policy issues, interfacing with thought leaders, and enhancing efficiency, competitiveness and business opportunities for industry through a range of specialized services and strategic global linkages. It also provides a platform for consensus-building and networking on key issues. Extending its agenda beyond business, CII assists industry to identify and execute corporate citizenship programmes. Partnerships with civil society organizations carry forward corporate initiatives for integrated and inclusive development across diverse domains including affirmative action, healthcare, education, livelihood, diversity management, skill development, empowerment of women, and water, to name a few. The CII theme for , Building National Competitiveness, emphasizes Industry's role in partnering Government to accelerate competitiveness across sectors, with sustained global competitiveness as the goal. The focus is on six key enablers: Human Development; Corporate Integrity and Good Citizenship; Ease of Doing Business; Innovation and Technical Capability; Sustainability; and Integration with the World. With 66 offices, including 9 Centres of Excellence, in India, and 9 overseas offices in Australia, Bahrain, China, Egypt, France, Germany, Singapore, UK, and USA, as well as institutional partnerships with 320 counterpart organizations in 106 countries, CII serves as a reference point for Indian industry and the international business community. Confederation of Indian Industry The Mantosh Sondhi Centre 23, Institutional Area, Lodi Road, New Delhi (India) T: / * F: E: info@cii.in * W: 9

12