NRI SecureTechnologies (NRI Secure), a leading global provider of cybersecurity
services, conducted a “2023 Fact-Finding Survey on Information Security in Companies” in
Japan, the US, and Australia, receiving responses from a total of 2,783 companies. This year’s
survey was made to clarify the status of information security efforts at these companies, with responses
being received from 1,657 companies in Japan, 540 companies in the US, and 586 companies in Australia.
The survey targeted those in charge of information systems and information security at their companies,
and this year marked the 21st installment since the survey was first carried out in 2002.
We spoke with NRI Secure’s Ayaka Matsumoto regarding the survey’s findings, asking about the
state of corporate information security as it relates to security management, supply chains, security
countermeasures, generative AI, and other topics.
EDR is increasingly being adopted in the wake of cyberattacks, increased telework, etc.
The first topic covered in the survey is security management.
In terms of new solutions that are being adopted, the findings showed that Japanese companies are
increasingly deploying EDR※1, NDR※2, or XDR※3, or alternatively are
looking into doing so. The technology that the most companies said they had already adopted, were
currently testing out, or were considering adopting was EDR, with 27.8% of respondents saying they had
already adopted it, which was 8.9 points higher than in last year’s survey, and this rose to 62.1%
when those testing it out or considering adopting it are included. The reasons for this conceivably
include the growing prevalence of Emotet (a type of malware spread through email), the rise in
cyberattacks involving ransomware, and the increasing development of security countermeasures premised
on telework, to name a few.
Alongside the increasing adoption of EDR, those companies for which EDR is widely applicable are facing a new challenge in the form of growing operational overhead, and XDR has become a focus of attention as a way of handling that burden. NDR, which handles monitoring and abnormality detection for vast amounts of internal network traffic, was cited as being adopted, in testing, or under consideration by 53% of respondents, which was a high rate of response, and one factor behind this is the need to deal with VPN infiltration and remote desktop-based intrusions, which are growing trend seen in recent years.
Meanwhile, if we look at the appointment of CISOs (Chief Information Security Officers), we see that 90% or more of companies in the US and Australia have created such positions, while in Japan that number is only around 40%. Not only do CISOs require security-related knowledge and skills, but they also need to be skilled at things including strategy and accounting, as well as at leadership and decision-making, requiring a variety of qualifications and capabilities. In Japan, finding suitable personnel within a company is difficult to do, and thus one conceivable option would be to appoint whoever is most suited to be the CISO, and then create a CISO team whose other members can compensate for that person’s shortcomings, and over time the necessary aptitude can then be gained and reinforced.
-
※1
Endpoint Detection and Response: a security product that can clarify and speed up responses after an incident occurs at an endpoint (terminal) such as a PC or a server.
-
※2
Network Detection and Response: a solution that monitors the content of communications over an organization’s internal network and detects any unusual suspicious activity as anomalous, making it possible to respond in real time to known and unknown threats.
-
※3
Extended Detection and Response: a solution that obtains appropriate data from endpoints, networks, the cloud, and other sources, and that analyzes all the data in a centrally managed manner.
Supply chain control: companies sense the risks but cannot take action
The second topic covered in the survey is supply chains.
In Japan, in connection with the Economic Security Promotion Act, a total of 39.6% of companies said
that they’re either strongly aware or aware of the need to enhance security, including
cybersecurity. The top countermeasure they cited specifically was the “review process for
subcontractors/business partners”.
When it comes to the state of supply chain controls, companies have
made little progress with countermeasures for handling subcontractors, as compared with control systems
for their group companies. One reason for this, among others, is that the sheer volume and complexity of
things to manage in overseeing subcontractors, or the fact that subcontractors are separate legal
entities, makes it difficult for the outsourcer to promote or contribute to any improvement efforts once
the situation has been ascertained. Regardless of company scale, these companies’ security
response resources are fully devoted to handling internal issues, and some 30-40% of companies are thus
unable to get a full picture of their supply chains.
In the situation we are seeing now, where subcontractors and IT are always tied together as a necessary
part of achieving DX, and these links are becoming more complex, companies need to adopt
VRM※4 and other management measures in order to efficiently control the status of security
measures at their subcontractors.
-
※4
Vendor Risk Management: a risk management process designed to prevent a subcontractor or business partner’s products or services from negatively affecting a company’s own regulations, finances, or operations.
DMARC measures gaining attention in Japan as well
The third topic covered in the survey is security
countermeasures.
In Japan, the implementation of DMARC was explicitly named as a security measure to be taken against
spoofed mail under the government’s uniform security standards which were revised in 2023. For
this reason, DMARC has received increasing attention, and it is expected to become more widely adopted
going forward. DMARC is a transmission domain authentication technology that identifies whether an email
was sent legitimately by the sender that is displayed and from the domain in the “From”
header, thereby protecting the recipient from emails spoofing a company’s own domain.
That said, Japan has been slow in adopting DMARC measures, and while 81.8% of companies in the US and 89.4% of companies in Australia have already adopted and implemented DMARC, only 13% of those in Japan have done so. The high rates of use in the US and Australia would seem to be because state agencies are obligated to use DMARC there, with the national governments more broadly leading efforts to promote the use of DMARC. Since it takes time for DMARC measures to reach maturation, companies would do well to get an early start and then move forward with implementation over a medium- and long-term period.
Japanese companies cautious about the use of generative AI
The fourth topic covered in the survey is generative AI.
The survey results showed that in Japan, 18% of companies said that they had already adopted generative
AI (regardless of whether or not they had rules in place), whereas 73.5% of US companies and 66.2% of
Australian companies said the same. Further, the response “no rules in place but already
adopted” was given by 32.4% of US companies and 40.3% of Australian companies.
In Japan’s case, 59.2% of companies said that they have
stipulated rules prohibiting the inputting of confidential information, this being the only example of a
measure which more Japanese companies have taken compared to their US or Australian counterparts. Based
on these findings, one can discern a certain wariness among Japanese companies toward generative AI.
Another characteristic of companies in the US and Australia is that they have made advances with
systematic controls, by deploying mechanisms to prevent confidential information from being detected
when it is inputted, and routinely monitoring and analyzing any AI services being used by their members,
for example.
Using an agile approach, and testing out new technologies while moving forward
Across all the four categories above, the effects of longstanding
deficiencies in security personnel were vividly apparent.
Given the difficulties involved in rapidly adding on new personnel, what is needed in this era when new
technologies are coming out one after another is arguably the ability to measure not only negative risks
but also positive risks. The word “risk” as used here means an event or condition that is
not certain to occur, and as opposed to incidents or other such negative risks, positive risks are ones
where the uncertainty may work to a company’s advantage, such as by improving productivity or
fostering employee growth. In today’s Japan, there would seem to be more than a few companies that
are too concerned with negative risks, while missing out on opportunities for growth.
What is needed in the era of generative AI is to err on the side of
taking positive risks, by testing out new technologies while moving forward. This means taking an agile
approach by setting smaller goals, cultivating experience and confidence while trying things out little
by little, i.e., taking an appropriate level of risk in experimenting with new technologies. With this
attitude, the organization will ultimately gain experience and become able to effectively utilize these
technologies in a business context.
A corporate attitude that encourages trying out and adopting new technologies will be required in the
times ahead, and thus, corporate leaders in the era of generative AI will need to view new technologies
as growth opportunities for their companies, taking actions that balance these opportunities against the
negative risks.
Profile
* Organization names and job titles may differ from the current version.