CYBER

SECURITY

HANDBOOK

FOR CEOs

Copyright © (2016) Confederation of Indian Industry (CII). All rights reserved.

No part of this publication may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise), in part or full in any manner whatsoever, or translated into any language, without the prior written permission of the copyright owner. CII has made every effort to ensure the accuracy of the information and material presented in this document. Nonetheless, all information, estimates and opinions contained in this publication are subject to change without notice, and do not constitute professional advice in any manner. Neither CII nor any of its office bearers or analysts or employees accept or assume any responsibility or liability in respect of the information provided herein. However, any discrepancy, error, etc. found in this publication may please be brought to the notice of CII for appropriate correction.

Published by Confederation of Indian Industry (CII), The MantoshSondhi Centre; 23, Institutional Area, Lodi Road, New Delhi 110003, India, Tel: +91-11-24629994-7, Fax: +91-11-24626149; Email: info@cii.in; Web: www.cii.in

Disclaimer

Source: 2014 NYSE Governance Services & Ernst & Young Source: Cisco 2015 Annual Security Report

Source: 2014 NYSE Governance Services & Ernst & Young

Source: idgenterprise.com

Source: 2015 CIO Survey, CIO Magazine 2015

RAISe CYBERSECURITY

Bar TO COPE WITH

RISKS

CYBERSECURITy IS

An EMERGING

BOARDROOM CONCERN

Source: 2014 NYSE Governance Services & Ernst & Young

Only 21% of directors agree their

company has CyberSecurity risk well under control

REQUISITION

EXTERNAL HELP

More than 50% of CEOs favour

external collaboration, but less than

33% show inclination

FOCUS LEADERSHIP

ATTENTION ON

CYBERSECURITY

The time spent by the leadership on Cybersecurity issues has increased

to 31% from 24% an year earlier

One of the top 4 priorities for CIOs

in the coming year includes ‘security upgrade'

UPGRADE SKILLS &

RETAIN TALENT

83% of enterprises currently lack

the right skills and human resources to protect their IT assets

ALIGN LEADERSHIp TO

OPERATIONAL

REALITIES

59% of CISOs view their security as

optimized, compared to 46% of

security operations managers

CyberSecurity Agenda

Cyber Security Handbook for CEOs 1

37

80

15

PanamaPapers

Ashley Madison

Office ofPersonnel

Management (US)

Experian Plc

Anthem 25

#No. of Million Records Stolen

37China

08Brazil

03Mexico

38USA

04India

13Europe

400

Global

MAJOR GLOBAL SECURITY BREACHES

GLOBAL PRICE TAG OF CONSUMER CYBERCRIME (IN BILLION US$)

CybeRSecurity LANDSCAPE

Source: Lloyd’s Insurance estimate and Symantec Security Report

Cyber Security Handbook for CEOs 2

PILLARS OF CYBERSECURITY

People technologyprocess

Executive Management

CISO/CIO

ISMS Professionals

Internal Auditors

Employees

IDS & IPS

Access & IDM

SIEM & Endpoint

DLP & DRM

Web App Firewall

Risk Management

Incident Management

IS Asset Management

Business Continuity

Compliance

IDS & IPS - Intrusion Detection & Prevention System | SIEM - Security Information & Event Management | DRM - Digital Right Management

IDM - Identity Management | WAF - Web Application Firewall

DLP - Data Leakage Prevention

A CEO should give equal importance to all three pillars of cybersecurity. An unbiased focus on all three pillars is key to the success of a cybersecurity program

building capabilities

3Cyber Security Handbook for CEOs

KEY FOCUS AREAS

CUSTOMERS REGULATORs &

AUDITORS

INTERNAL

DEPARTMENTS

SERVICE

PROVIDERs

INFORMATION stakeholders

Sensitive Personal Data or Information (SPDI) is shared by

customers to avail a product or a service

Information gathered is

converted into sensitive data,

helping companies to meet their

business objectives

Companies avail specialized

services, often sharing sensitive data with third

parties and thereby relying on their data protection

measures

Regulations require companies to

regularly share their sensitive

information with regulators and

auditors

CEOs cannot afford to over-protect or under-protect any one of the information stakeholders. Ensuring a balanced approach to mitigate risks and plug information leakages associated with each information stakeholder is a must

§Take effective measures to protect Personally Identifiable Information (PII)§ Implement enterprise-wide ISMS for securing information processing environment§Effectively communicate cybersecurity arrangements & actions to all key stakeholders§Protect information shared with external parties through stringent NDAs§Adopt a robust review mechanism to identity and fix all potential leakage points§ Institute CEO's cybersecurity dashboard

PROTECT ENTIRE INFORMATION CHAIN

4Cyber Security Handbook for CEOs

EXCERPTS FROM THE REGULATIONS

The responsibility of protecting the image and values of the organization ultimately lies with the CEO. While donning the role of the conscience-keeper, it is paramount to ensure compliance with various regulations

MoLJ

DOT

IRDA

SEBI

RBI

DeitY

- Ministry of Law & Justice

- Department of Telecommunication

- Insurance Regulatory and Development Authority

- Securities and Exchange Board of India

- Reserve Bank of India

- The Department of Electronics and Information Technology

MoLJ

DOT

IRDA

SEBI

RBI

DeitY

RegulatorsSetting the

Direction for Cybersecurity

§The Senior Leadership should assume the overall responsibility of cybersecurity§Dedicated resources in the form of time, personnel & budgets should be allocated§ Identify cyber risks which could prevent achievement of business objectives §Adopt adequate defenses to safeguard from internal as well as external threats§ Implemented controls to be tested periodically by independent entities §Critical vulnerabilities & incidents should be reported to appropriate authorities§Associate with special interests groups to stay abreast with cybersecurity intelligence§Cybersecurity awareness should be imparted throughout the organization §Develop a governance model to monitor and measure the efficacy of the cybersecurity

program

Regulatory expectations

5Cyber Security Handbook for CEOs

30

20

40

50

60

10More online extortion using ransomware

2016 will be the year of online extortion with hackers re-doubling their efforts with continued use and evolution of ransomware

Internet of Things (IoT) attacks

Worms and viruses will be designed to specifically attack IoT devices. The potential for harm could propagate millions of interactive devices

More hacktivist activity with strategic campaigns

So called "hacktivists" will increasingly delight in hijacking the Facebook, Twitter and Instagram accounts of leaders and attempt to spread misinformation

Stealth techniques to hide evidence of threat attacks

“Ghostware” is the Snapchat of malware. The malware enters into a system, completes its mission (stealing data), then disappears without leaving a trace

Health record data breaches perpetrated by insiders

An attack from the inside can allow unrestricted access to personal medical records via employee authorization making it far easier for an insider to go unnoticed

Spear phishing

Phishing attacks are growing, as official-looking messages and websites, that apparently come from trusted sources, are employed to gain access to your systems

Top SIX security threats for 2016

6Cyber Security Handbook for CEOs

The CEO should ask

him(her)self

The CEO should ask

his CIO / CISO

ΠDoes our organisation have a cybersecurity policy & strategy? Is it aligned with the business strategy?

� Am I keeping the board informed on cybersecurity issues?

Ž Are our security roles and responsibilities clearly defined and communicated? Have adequate resources been allocated?

� Is our CIO / CISO sufficiently empowered?

� Have we inventorized and categorized our assets? Do we know what are our critical assets? Have we done our BIA and RA? Have we identified the red flags?

‘ Do we have an effective incident management / emergency response plan? Do we have a BCP-DR plan?

’ Are we compliant with the regulatory requirements?

“ When did we last have an external audit? Have all the audit findings been addressed?

” Is training and awareness an ongoing activity? Does our training program cover every information user?

• Is my cybersecurity dashboard comprehensive?

ΠWhat are the key security issues for the organization?

� Do you interact with the business? Are our security measures aligned to the business risks?

Ž What cybersecurity projects have we undertaken? Is our security budget aligned to industry norms?

� Does our Security Operations team have adequate skills and expertise? Do we regularly train them on upcoming preventive technologies?

� What support do you need from me to be successful?

‘ Are we adequately protected? Is our customer and company data secure?

’ How do we ensure that our defenses remain relevant and effective? Do we conduct independent testing?

“ How do we tackle the insider threats?

” Assuming that we are already compromised, how can we contain the impact of the attack?

• How are we managing our regulatory compliance and contractual obligations?

Expectations

7Cyber Security Handbook for CEOs

ABOUT MitKat

8

MitKat Advisory is a global provider of integrated security and risk mitigation solutions and services. MitKat works collaboratively with leading global corporations, government and non-government organizations to protect people, assets, information and reputation. MitKat's team consists of best-in-class consultants from diverse backgrounds. For details, kindly visit

MitKat has offices in Delhi NCR, Mumbai, Bengaluru and Singapore, and through its network of partners, delivers operational support and risk management services across Asia and Africa. MitKat's services include:§ Information security and business continuity advisory§Managed security services§ IT security consulting and implementation assistance§Physical security and safety consulting & design§Threat Intelligence and travel risk management§Business Intelligence, due diligence and integrity risk management§Operational support and embedded security services §Women's safety and empowerment §Skills & entrepreneurship development and CSR advisory

is technology and vendor-agnostic and is able to offer impartial and unbiased advice to its clients to design and solutions to suit their specific business and operational needs.

is an equal opportunities employer and committed to highest standards of .

www.mitkatadvisory.com

MitKat'fit-for-purpose' 'best value'

MitKatintegrity, ethics, governance and compliance

MitKat Advisory Services Private Limited

TT (Gurgaon): T (Bengaluru)

E W

511 Ascot Center, Near Hilton Hotel, Andheri (E), Mumbai – 400 099

: +91 22 2839 1243 +91 124 455 9200 | : +91 80 255 03300

: | : contact@mitkatadvisory.com www.mitkatadvisory.com

Cyber Security Handbook for CEOs

ABOUT CII

9

The Confederation of Indian Industry (CII) works to create and sustain an environment conducive to the development of India, partnering industry, Government, and civil society, through advisory and consultative processes.

CII is a non-government, not-for-profit, industry-led and industry-managed organization, playing a proactive role in India's development process. Founded in 1895, India's premier business association has over 8000 members, from the private as well as public sectors, including SMEs and MNCs, and an indirect membership of over 200,000 enterprises from around 240 national and regional sectoral industry bodies.

CII charts change by working closely with Government on policy issues, interfacing with thought leaders, and enhancing efficiency, competitiveness and business opportunities for industry through a range of specialized services and strategic global linkages. It also provides a platform for consensus-building and networking on key issues.

Extending its agenda beyond business, CII assists industry to identify and execute corporate citizenship programmes. Partnerships with civil society organizations carry forward corporate initiatives for integrated and inclusive development across diverse domains including affirmative action, healthcare, education, livelihood, diversity management, skill development, empowerment of women, and water, to name a few.

The CII theme for 2016-17, , emphasizes Industry's role in partnering Government to accelerate competitiveness across sectors, with sustained global competitiveness as the goal. The focus is on six key enablers: Human Development; Corporate Integrity and Good Citizenship; Ease of Doing Business; Innovation and Technical Capability; Sustainability; and Integration with the World.

With 66 offices, including 9 Centres of Excellence, in India, and 9 overseas offices in Australia, Bahrain, China, Egypt, France, Germany, Singapore, UK, and USA, as well as institutional partnerships with 320 counterpart organizations in 106 countries, CII serves as a reference point for Indian industry and the international business community.

Building National Competitiveness

Confederation of Indian Industry

T FE W

The Mantosh Sondhi Centre 23, Institutional Area, Lodi Road, New Delhi - 110 003 (India)

: 91 11 45771000 / 24629994-7 * : 91 11 24626149: * : info@cii.in www.cii.in

Cyber Security Handbook for CEOs