&N Dream up the future lab.

Envision the future
with Nomura Research Institute

Ayaka Matsumoto, DX Security Platform Business Division
NRI SecureTechnologies

NRI SecureTechnologies (NRI Secure), a leading global provider of cybersecurity services, conducted a “2023 Fact-Finding Survey on Information Security in Companies” in Japan, the US, and Australia, receiving responses from a total of 2,783 companies. This year’s survey was made to clarify the status of information security efforts at these companies, with responses being received from 1,657 companies in Japan, 540 companies in the US, and 586 companies in Australia. The survey targeted those in charge of information systems and information security at their companies, and this year marked the 21st installment since the survey was first carried out in 2002.
We spoke with NRI Secure’s Ayaka Matsumoto regarding the survey’s findings, asking about the state of corporate information security as it relates to security management, supply chains, security countermeasures, generative AI, and other topics.

EDR is increasingly being adopted in the wake of cyberattacks, increased telework, etc.

The first topic covered in the survey is security management.
In terms of new solutions that are being adopted, the findings showed that Japanese companies are increasingly deploying EDR※1, NDR※2, or XDR※3, or alternatively are looking into doing so. The technology that the most companies said they had already adopted, were currently testing out, or were considering adopting was EDR, with 27.8% of respondents saying they had already adopted it, which was 8.9 points higher than in last year’s survey, and this rose to 62.1% when those testing it out or considering adopting it are included. The reasons for this conceivably include the growing prevalence of Emotet (a type of malware spread through email), the rise in cyberattacks involving ransomware, and the increasing development of security countermeasures premised on telework, to name a few.

Alongside the increasing adoption of EDR, those companies for which EDR is widely applicable are facing a new challenge in the form of growing operational overhead, and XDR has become a focus of attention as a way of handling that burden. NDR, which handles monitoring and abnormality detection for vast amounts of internal network traffic, was cited as being adopted, in testing, or under consideration by 53% of respondents, which was a high rate of response, and one factor behind this is the need to deal with VPN infiltration and remote desktop-based intrusions, which are growing trend seen in recent years.

Meanwhile, if we look at the appointment of CISOs (Chief Information Security Officers), we see that 90% or more of companies in the US and Australia have created such positions, while in Japan that number is only around 40%. Not only do CISOs require security-related knowledge and skills, but they also need to be skilled at things including strategy and accounting, as well as at leadership and decision-making, requiring a variety of qualifications and capabilities. In Japan, finding suitable personnel within a company is difficult to do, and thus one conceivable option would be to appoint whoever is most suited to be the CISO, and then create a CISO team whose other members can compensate for that person’s shortcomings, and over time the necessary aptitude can then be gained and reinforced.

  • ※1 
    Endpoint Detection and Response: a security product that can clarify and speed up responses after an incident occurs at an endpoint (terminal) such as a PC or a server.
  • ※2 
    Network Detection and Response: a solution that monitors the content of communications over an organization’s internal network and detects any unusual suspicious activity as anomalous, making it possible to respond in real time to known and unknown threats.
  • ※3 
    Extended Detection and Response: a solution that obtains appropriate data from endpoints, networks, the cloud, and other sources, and that analyzes all the data in a centrally managed manner.

Supply chain control: companies sense the risks but cannot take action

The second topic covered in the survey is supply chains.
In Japan, in connection with the Economic Security Promotion Act, a total of 39.6% of companies said that they’re either strongly aware or aware of the need to enhance security, including cybersecurity. The top countermeasure they cited specifically was the “review process for subcontractors/business partners”.

When it comes to the state of supply chain controls, companies have made little progress with countermeasures for handling subcontractors, as compared with control systems for their group companies. One reason for this, among others, is that the sheer volume and complexity of things to manage in overseeing subcontractors, or the fact that subcontractors are separate legal entities, makes it difficult for the outsourcer to promote or contribute to any improvement efforts once the situation has been ascertained. Regardless of company scale, these companies’ security response resources are fully devoted to handling internal issues, and some 30-40% of companies are thus unable to get a full picture of their supply chains.
In the situation we are seeing now, where subcontractors and IT are always tied together as a necessary part of achieving DX, and these links are becoming more complex, companies need to adopt VRM※4 and other management measures in order to efficiently control the status of security measures at their subcontractors.

  • ※4 
    Vendor Risk Management: a risk management process designed to prevent a subcontractor or business partner’s products or services from negatively affecting a company’s own regulations, finances, or operations.

DMARC measures gaining attention in Japan as well

The third topic covered in the survey is security countermeasures.
In Japan, the implementation of DMARC was explicitly named as a security measure to be taken against spoofed mail under the government’s uniform security standards which were revised in 2023. For this reason, DMARC has received increasing attention, and it is expected to become more widely adopted going forward. DMARC is a transmission domain authentication technology that identifies whether an email was sent legitimately by the sender that is displayed and from the domain in the “From” header, thereby protecting the recipient from emails spoofing a company’s own domain.

That said, Japan has been slow in adopting DMARC measures, and while 81.8% of companies in the US and 89.4% of companies in Australia have already adopted and implemented DMARC, only 13% of those in Japan have done so. The high rates of use in the US and Australia would seem to be because state agencies are obligated to use DMARC there, with the national governments more broadly leading efforts to promote the use of DMARC. Since it takes time for DMARC measures to reach maturation, companies would do well to get an early start and then move forward with implementation over a medium- and long-term period.

Japanese companies cautious about the use of generative AI

The fourth topic covered in the survey is generative AI.
The survey results showed that in Japan, 18% of companies said that they had already adopted generative AI (regardless of whether or not they had rules in place), whereas 73.5% of US companies and 66.2% of Australian companies said the same. Further, the response “no rules in place but already adopted” was given by 32.4% of US companies and 40.3% of Australian companies.

In Japan’s case, 59.2% of companies said that they have stipulated rules prohibiting the inputting of confidential information, this being the only example of a measure which more Japanese companies have taken compared to their US or Australian counterparts. Based on these findings, one can discern a certain wariness among Japanese companies toward generative AI.
Another characteristic of companies in the US and Australia is that they have made advances with systematic controls, by deploying mechanisms to prevent confidential information from being detected when it is inputted, and routinely monitoring and analyzing any AI services being used by their members, for example.

Using an agile approach, and testing out new technologies while moving forward

Across all the four categories above, the effects of longstanding deficiencies in security personnel were vividly apparent.
Given the difficulties involved in rapidly adding on new personnel, what is needed in this era when new technologies are coming out one after another is arguably the ability to measure not only negative risks but also positive risks. The word “risk” as used here means an event or condition that is not certain to occur, and as opposed to incidents or other such negative risks, positive risks are ones where the uncertainty may work to a company’s advantage, such as by improving productivity or fostering employee growth. In today’s Japan, there would seem to be more than a few companies that are too concerned with negative risks, while missing out on opportunities for growth.

What is needed in the era of generative AI is to err on the side of taking positive risks, by testing out new technologies while moving forward. This means taking an agile approach by setting smaller goals, cultivating experience and confidence while trying things out little by little, i.e., taking an appropriate level of risk in experimenting with new technologies. With this attitude, the organization will ultimately gain experience and become able to effectively utilize these technologies in a business context.
A corporate attitude that encourages trying out and adopting new technologies will be required in the times ahead, and thus, corporate leaders in the era of generative AI will need to view new technologies as growth opportunities for their companies, taking actions that balance these opportunities against the negative risks.

Profile

  • Ayaka Matsumoto

* Organization names and job titles may differ from the current version.