In the wake of the global pandemic, the move to remote working increased the number of cyber-attacks aimed at remote environments. It made it essential for companies to take measures to protect themselves, their people and their customers from data leakages. Now, with the ongoing shift to hybrid working, what are the most important security measures organizations need to consider?
In a recent interview by Nikkei, the security leaders of leading IT companies in Japan, Softbank, Microsoft and KPMG exchanged views on a wide range of topics.*
Speakers: (From left）
Mr. Tadashi Iida - Chief Information Security Officer, Softbank
Mr. Sawada Motoki - Partner, KPMG in Japan
Mr. Shoji Kawano - Chief Security Officer, Microsoft Japan
The surge in cyber-attacks
How has the shift to a hybrid work model changed information security risks?
Mr. Sawada: Shortly before the COVID-19 pandemic began, we saw increased cyber-attacks for monetary gain, such as ransomware. Since we quickly shifted to remote work environments, there have been an increasing number of cases where vulnerabilities in VPNs (virtual private networks) were left unattended and used as targets. Cybercrime has become increasingly sophisticated with COVID-19, and criminal businesses offering ‘ransomware-as-a-service’ have emerged and many companies are having a hard time managing the risk.
Mr. Kawano: In the case of remote working, exchanging files can be relatively safe if they’re on the same platform, but if the tools are different, they’re often passed ‘as public information’ in a very loose way. I've also seen people participating in online meetings from public cafes and parks, and the lack of security awareness is a problem.
Mr. Iida: In some cases, confidential information is publicly available in the cloud. Since the criteria for what is considered confidential is vague, employees may be under the illusion that certain information is not confidential. Additionally, hybrid working increases the risk that employees may intentionally or unconsciously take out internal information. I think raising security literacy through employee education is key to preventing this.
Monitoring — an important security measure
What are the latest trends in security measures and what are the new needs for customers?
Mr. Kawano: In the US, the concept of ‘zero-trust architecture’ has spread largely in response to the lack of governance in remote working. The principle of zero-trust architecture is to grant authority and appropriately control access according to the situation. However, there’s a limit and cost to the number of people who can verify this. We receive about twenty-four trillion cases of log information called ‘signals’ per day at our company, which we set up with our client’s companies. Then it’s analyzed by our AI (artificial intelligence) and other experts. We also monitor the dark web and provide tools to check for prevalent attacks and whether they are being carried out, and URLs that should be blocked.
Mr. Sawada: In the past, we mainly provided support in anticipation of future cyber-attacks, such as formulating cyber security strategies, but recently, we’ve seen a sharp increase in support needed for clients who have experienced incidents. In particular, there have been many incidents at overseas subsidiaries and affiliates, with clients requesting guidelines and help to establish security measures and monitoring schemes on a global basis.
Mr. Iida: We provide ’security packs’ to smartphone and cell phone subscribers, but we would like to develop new services that further enhance safety and offer carrier-led services to use mobile devices for remote work safely. Hybrid work makes security measures more complex and increases the number of targets for attacks — making it even more difficult to protect. There is no way to change the shift towards the more flexible and convenient hybrid work model, so we have no choice but to strengthen our defense measures and monitoring systems.
Cyber risks in supply chains
How should we respond to cyber damage that targets the security vulnerabilities of overseas subsidiaries and affiliates?
Mr. Iida: Laws, regulations and mindsets differ depending on the country or region where our group companies are located, and the scale varies from small to large, so there are countless ways to view the importance of security. Suppose the head office in Japan, which oversees security, gives instructions that impact our offices globally. In that case, governance will end up in vain and security risks won’t be reduced at all. So, the head office needs to understand the individual circumstances of each group company and provide specific security information and support to each.
Mr. Sawada: In the KPMG 2021 Global CEO Outlook, when business leaders were asked about the risks that pose the greatest threat to the company's growth over the next 3 years, the top three were cyber security, supply chain, and environment/climate change. Considering the non-stop growth of digital transformation and the corresponding need to safeguard against increasingly complex global supply chain cyber risks, that’s no surprise.
Mr. Kawano: Recently, most security incidents have occurred with on-premises (in-house operated) systems. Smaller companies are actively using the latest cloud services to increase security, while larger companies are at higher risk because they still have outdated IT environments. Even in the hybridization of cloud and on-premises, I think a drastic reform is needed, not 50-50, but 95-5. Also, with the migration of data to the cloud, it’s become essential to manage access rights on a per-data basis. The clearer the data to be protected, the easier it is to manage security governance.
The human risk factor in cyber security
What kind of mid- to long-term security strategy is required for companies today?
Mr. Iida: The approach to security is changing from ‘passive safety’ such as airbags to ‘active safety’ such as automatic braking to prevent accidents. For cyber security, ‘active safety’ is a mechanism and structure that proactively prevents incidents from occurring. Since human error can be considered one of the greatest vulnerabilities in security it’s crucial to eliminate this threat by educating employees and helping them become better digital citizens at work and at home.
Mr. Kawano: I think companies are struggling with the choice of security products, but they’ll continue to be exposed to vulnerabilities while considering them. With the concept of built-in security, it’s essential first to choose a platform that maximizes security. Depending on the contract, it’s possible to take advantage of the latest security measures provided by the vendor without incurring new costs. I hope that by using the cloud, a cyber environment can be built without vulnerabilities.
Mr. Sawada: As with ESG (Environmental, Social and Corporate Governance), management needs to recognize cyber security as an investment that’s essential for growth rather than an expense. The quality of security will also change depending on how management prioritizes cyber security as a top business issue instead of leaving it to IT departments and security personnel to handle. Cyber security initiatives will become a differentiating factor for companies and a condition for survival.
*The contents of this article was originally published by NIKKEI Online Edition Advertising. It was translated into English by KPMG.
Get in touch