More and more companies are facing cyberattacks. In an independent survey conducted by Nikkei Research and Trend Micro, about 40% of major companies said their supply chains have been subjected to cyberattacks. With the rise in awareness of the need for cybersecurity countermeasures, 70% of companies reported they have created the post of Chief Information Security Officer (CISO) or a similar position to handle cybersecurity. At the same time, however, 60% of companies said they lack “human resources” specialized in cybersecurity and that inadequate budget is also a barrier.
“Our own cyberdefense is not solid, and we don’t have the resources to assist our business partners. The cyberattack damage suffered by Toyota Motor Corporation could happen to us at any time.” This is the kind of consultation cybersecurity companies receive all the time from the manufacturing industry. In February, Toyota’s business partners were hit by a cyberattack, and Toyota was forced to halt operations at all factories in Japan. The “Toyota crisis” in the cyber world brought to light the supply chain risks that exist, regardless of industry or company size.
On June 2–8, Nikkei Research and Trend Micro conducted a survey of 300 security and digital transformation (DX) managers working for large companies with 1,000 or more employees.
When asked if their supply chains have ever been hit by a cyberattack, 16.7% said their “contractors (including operations and manufacturing)” have been hit, 30.7% said their “group companies” have been targeted, and 28.3% said their “overseas officers” have been attacked. Some 43.3% said they had received two or more of these types of attack.
In March, Bridgestone announced that several of its tire factories had been shut down for several days due to a cyberattack at a U.S. subsidiary. In April, information was leaked from a Panasonic Holdings Canadian subsidiary that sells Panasonic home appliances, and the data was disclosed to a clandestine site by those who had launched the cyberattack.
Small-scale affiliates and overseas bases cannot invest resources in cyberdefense, and it is hard for corporate governance, such as rules governing the handling of IT equipment, to really be thorough and effective. There are more and more ways for attackers to use supply chains with weak cyberdefense as a “steppingstone” to infiltrate into major companies via a network.
About 15% of cyberattacks on supply chains resulted in the “suspension of part or all of the company’s operations,” and many cybersecurity managers reported damage to information technology (IT) assets, with about 30% of respondents citing “breakdown of the company’s systems” and another 30% citing “damage to company data.”
On the other hand, 44.3% of the respondents said that status of security measures is “not included” in the criteria for selecting contractors or they are “not sure” whether it is included or not. A major metal company said, “Overseas trading partners can confirm in detail the cyber countermeasure products they have introduced and their operating conditions,” but in Japan, companies tend to assume their business partners are appropriately taking care of their own cyber countermeasures.
Ohazawa Isao, the country manager of CrowdStrike Japan, says, “Since this spring, we have received an unparalleled number of consultations from medium-sized local companies.” This suggests that even smaller companies are coming to have a sense of crisis over cybersecurity.
Lack of funds is a challenge cybersecurity managers at major companies face. Some 41.3% of respondents said their company’s investment in cybersecurity was “insufficient,” outdistancing the 33.7% who said the investment was “appropriate.” An overwhelming 58.9% of respondents said they lack “human resources” specialized in cybersecurity.
The Japan Cybersecurity Innovation Committee (JCIC), a think tank specializing in cyber countermeasures, states that an appropriate standard for a cyberdefense budget is “0.5% or more of consolidated sales.” It bases this estimate on the amount of damages in past cases. Some 44.7% of respondents said that their cyberdefense budget is “less than 0.5%” of consolidated sales and therefore below this objective standard. It cannot be said that companies are allocating adequate resources for cyberdefense.
“Companies are competing across industries for human resources with expertise in cybersecurity. Even if you take the time and effort to improve employee skills, it will amount to nothing if staff change jobs,” comments a person in charge of the security department at a major IT company about the difficulty of employee education. It is essential to create systems that supplement human resources, such as services that remotely monitor for cyberattacks and products that use artificial intelligence (AI) to detect suspicious behavior 24 hours a day.
Some 73.3% of respondents reported that they have in-house a CISO or CSO (Chief Security Officer) who formulate management-level strategies. Gradually, more and more companies are aware that they need a central officer who can spearhead cyberdefense initiatives.
In principle, CISOs should have more assistants than executives do and have company-wide authority over things like budget and personnel. However, only about half of all CISOs have executive positions. Even if they have a title, it is unclear whether they play such a role. Shimizu Satoshi, CISO of Trend Micro Japan, said, “Management needs to reexamine what elements the company lacks and allocate the needed people and systems, including external resources.”
70% are restricting PPAP or are considering restricting it in the future
The survey also asked respondents about “PPAP,” a security method which involves sending an email with ZIP files locked with passwords and to send the password by a separate email. This method has long been used in Japan, but it has become clear that slightly less than 70% of respondents have placed some restrictions on its usage or are considering imposing restrictions in the future.
With PPAP, viruses hidden inside files can easily slip through detection software due to encryption, and there is a higher risk that emails with viruses will pass through. More and more companies are reviewing their use of PPAP.
Of the 70%, more than 30% of companies said they have already restricted the sending of PPAP emails to other companies, and slightly less than 10% of respondents said their companies now reject PPAP emails sent from other companies. Another 27% say they are considering introducing restrictions in the future.
When asked when they will implement restrictions, 28.1% of respondents said they plan to implement them within the next year, and only 7.3% said they plan to start implementing them more than a year from now. In addition to reviewing cybersecurity human resources and budget, companies also need to review the practices they use.