NRI SecureTechnologies (NRI Secure), which is a group company of Nomura Research Institute (NRI), has been conducting a “Fact-Finding Survey on Information Security in Companies” every year since FY2002, and it conducted this survey in FY2020 covering Japan, the US, and Australia. The results reveal a difference in how security is regarded in these countries. We spoke with security consultant Maki Yamada about the survey results.

Japanese companies have room for improvement in their security measures associated with DX

In order to elucidate the efforts being made by companies in Japan, the US, and Australia when it comes to information security, NRI Secure surveyed the state of security at 1,222 Japanese companies, 523 US companies, and 515 Australian companies between July and September 2020.

In this survey, NRI Secure inquired into the efforts being made by the companies involving DX (digital transformation), a subject which has recently become a frequent topic of discussion, and it found that 76.5% of the Japanese companies surveyed were involved in DX initiatives. Given that the percentage of Japanese companies making DX-related efforts was approximately 30% in the FY2019 survey, it is clear that many companies have begun to undertake DX activities.

The aspect of this phenomenon that Yamada singled out as an urgent issue is the ongoing review of security strategies brought about by DX. When asked “In pursuing your digital transformation efforts, have you reviewed your security strategies, rules, and processes?”, the breakdown by country of companies that answered “Partly done” or “Already done” came out to 73.7% for the US and 77.3% for Australia, whereas for Japan it was only 21.7%.

Yamada offered her take on these results, remarking that “When it comes to how corporate IT has been used until now in Japan, for many companies, the infrastructure involved has typically been based on on-premise operations, and their conventional security has been concerned with perimeter defenses. But these things have become shackles for them, so these companies are forced to expand the scope of their reevaluations, and they’re finding that they don’t have enough personnel or enough of a budget to make additional considerations or responses. So, I think these companies can’t really judge where they should begin when pursuing their DX efforts.”

With regard as well to telework, which has become widely used in dealing with the spread of Covid-19, the survey found that although 73.0% of Japanese companies have implemented this workstyle, only 56.5% of these companies responded that they have “ascertained our security requirements in light of telework and taken measures accordingly”. Yamada viewed this figure as indicating “some lingering uncertainties”, and she suggested that “When companies think about security measures in terms of promoting telework, it’s also important for them to consider transitioning form their current perimeter defense model to a Zero-Trust model.”

Perimeter defense models work by taking security measures using firewalls etc. at the boundary between the internet and a company’s internal network. Recently, however, developments such as the increased use of cloud-based services have created a need for internet protection as well, and thus there is a growing belief in the use of Zero-Trust models which protect the content of all communications through user authentication and encryption.

Click here for more on Zero-Trust security

A broader scope of security involving supply chains

In the Japan survey, 71.0% of companies said they were aware of the state of security measures being taken at their domestic subsidiaries, while 57.0% said they had this same awareness for their overseas subsidiaries. As for US and Australian companies, around 80% of respondents said they were aware of the security conditions at both their domestic and foreign subsidiaries, a higher figure than in Japan’s case. As for the security control situations at their business partners or subcontractors, 80% or more of respondents in the US and Australia said they were conducting security control, whereas the results for Japan showed only 51.9% of companies were doing the same for their domestic partners and subcontractors and a mere 35.2% were doing it for their partners and subcontractors overseas.

Regarding these results, Yamada commented: “Security-related incidents originating in the supply chain have been happening one after another in recent years, and companies need to raise the security level of their supply chains overall. For that reason, I think you have to begin by grasping that state of your security measures. And when it comes to supply chains that don’t have at least a certain level of security measures in place that have been set by your company, you need to make the judgment that business transactions can’t be done unless that level is cleared.”

In addition, since this survey found that a greater percentage of Japanese companies are now making DX-related efforts, Yamada says “It’s a desirable result that Japanese companies overall are getting more involved in DX efforts. However, because of supply chain growth in conjunction with that development, security measures will have to take on a wider scope, and that means it’s important to deal with security controls outside the perimeter of your company.”

Targeted attacks and ransomware: security threats in Japan and abroad

In response to the question about incidents that have occurred in the past year, incidents that can be categorized as cyberattacks were the top answer given by US and Australian companies. In Japan as well, cyberattacks took four of the top 10 spots in the ranking, yet incidents caused by human error such as emails, faxes, or mailings sent by mistake were also cited.

With regard to the events posing the greatest threats to companies, the top answers given in all of the countries were information leaks resulting from targeted attacks and damage caused by ransomware.

Regarding the context of this, Yamada said, “I think the reasons for this are the fact that malware like Emotet, which tends to be used in targeted attacks, as well as ransomware demands for ransoms to be paid, have been spreading globally and causing greater damage. Also, with the recent telework environment it’s difficult to handle these issues, and that’s probably one of the main reasons why so many companies consider these to be threats.”

Finally, Yamada offered that “Since security threats arising from the growth of DX and telework will be on the rise, we’ll need new security strategies that are suited to the coming era.” She also suggested that “Expanding the scope of how security measures are applied and implemented and practicing security strategies reflecting the ‘new normal’ will be important in order for companies to enhance their security going forward.”

There is no doubt that DX will play an extremely important role in how we conceive of business going forward. In addition, telework and other new workstyles will likely expand into the future. Amid such changes, perhaps we must also consider anew what kinds of security measures have to be taken, and how businesses can be protected from cyberattacks which will pose an ever-greater threat going forward.