Every April, as college graduates enter the Japanese workforce and access the IT networks of Japanese companies for the first time, the government launches a campaign urging everyone to create a secure password.
But, in 2022, a global survey by cybersecurity group NordPass found that Japan’s preferred password remained “123456”, which is hackable in an average of one second.
Japan is far from alone in this complacency (the US and UK’s favorite passwords include “password”), or in the struggle of companies and governments to protect data – one of the most financially critical assets of the early 21st century. th century – more assiduously.
Businesses around the world are repeatedly the victims of ransomware cyberattacks and other forms of crime, where the door has been opened by some weakness in human behavior, usually on the part of an otherwise trustworthy employee. The big question is whether Japan’s current approach is sustainable.
Everywhere, the corporate mismatch between trust and experience is stark. In its 2023 report on ransomware attacks in 30 countries, including Japan, security group Fortinet found that 80% of respondents were at least “very” concerned about the threat, and 78% described themselves as “very” or more prepared to counter a violation. However, 50% of respondents said their organizations have fallen victim to such an attack.
In Japan, cybersecurity experts say, the problem has distinctive features. For some time, Japanese companies felt depreciated anzen shinwa, or the “security myth” — the misperception that language, insularity, and other factors keep potential attackers at bay.
Inherent in this mythology, say experts at consulting firm Nihon Cyber Defense, is a tendency for senior managers to treat cybersecurity differently than other business risks. They often outsource cyber risk to experts and assume it is sufficient from a management standpoint. Then, in the wake of an attack, they’ll hire lawyers, ransom negotiators, and consultants.
A more holistic approach, which would involve such consultants as a preparatory measure and treat cyber risk on a par with other core business areas such as R&D or recruiting, has yet to be widely adopted by the broad swath of mid-sized companies in the world. Japan. This could potentially offer a new role for domestic lawyers in Japan.
Furthermore, circumstances are inflating the threat. For cybercriminals pursuing data with a purely financial motive, traditional corporate targets in the US and Europe have beefed up their fortifications. But Japan represents a shooting gallery of tantalizing prizes: a slew of financially successful companies that may never have come under attack before.
As attacks on Japanese companies have increased, both targets and criminals have adapted. Larger companies have paid for top-notch cyber protection and built reliable data backup strongholds, so ransomware gangs have turned their attention to smaller businesses. Other victims are institutional targets, such as small regional hospitals, that have low attack expectancy, large amounts of data, and relatively unsophisticated protections.
In the face of this onslaught, however, Japanese companies seem to stand out from their peers elsewhere by being less quick to bow to ransomware demands. Mihoko Matsubara, chief cybersecurity strategist at Japanese telecommunications firm NTT, points to a 2022 report by US cybersecurity group Proofpoint that found fewer Japanese companies are paying. While a global average of around 58% of corporate ransomware victims paid the required fee, in Japan the figure was 20% in 2021.
There are several reasons for this low rate, says Matsubara, whose role is unusual in corporate Japan. First, the companies review evidence from around the world indicating that only 8% of companies that paid a ransom recovered 100% of their data, and 80% of companies that paid were affected again. These are not persuasive arguments to be paid for in the face of claims that can run into the millions of dollars.
But also, he notes, many smaller Japanese companies, despite industry-led digitization and government campaigns, keep much of their data in paper form. It can be painful, but they can rebuild digital databases using the paper records for which they are often criticized.
This may not last. Ultimately, Japan’s vulnerability to cyber attacks will be determined by a problem already affecting the entire economy: its population decrease and the growing skills shortage. Japan’s shortage of cybersecurity experts, Matsubara says, runs into the thousands, and it’s far from clear that there’s a supply of new engineers for corporate Japan to expect.
—————————————————-
Source link