{{item.videoDuration}}
{{item.title}}
{{item.text}}
{{item.videoDuration}}
{{item.text}}
In the PwC Japan Group’s 2021 Cyber IQ Survey of Japan’s security leaders, we conducted a fact-finding investigation on the current and three-year outlook for security strategy, planning, structure, investment, supply chains, threat intelligence, privacy and other fields. This report, which summarises the findings of the survey as well as interviews with leading players in the public and private sectors, contains valuable insights for security leaders in Japan.
We hope that our recommendations based on these survey results will help your companies to take effective security measures.
In order to act in a proactive manner, we must be ready to anticipate what will be required in the future, based on both technical and non-technical intelligence. Raising the bar to a higher level will naturally require investment and resources, and this cannot be achieved without executive decision making. The determining factor will be the degree to which our leaders can lead.
This page provides highlights from our report on the 2021 Cyber IQ Survey. To read the full report, please download the PDF file from the following link.
Trends in changes surrounding cybersecurity at Japanese companies
- Connections between digitised business and IT supply chains
- The acceleration of ‘zero trust’ in the wake of COVID-19
- The rise of ‘multiple extortion ransomware’
- The maturing cyberattack business
- Improving, but still insufficient, resilience
Connections between digitised business and IT supply chains
The advancement of digital transformation (DX) is accelerating the use of digital technologies such as cloud, AI, IoT, and blockchain at various companies, and companies are already aware that security is becoming more important as a measure to ensure the safe use of these technologies. The importance of cybersecurity for digital connection is also rising quickly as the number of companies working on DX and digitalisation continues to increase. Digital connection can be viewed from two perspectives: that of the business supply chain and the IT supply chain.
The acceleration of ‘zero trust’ in the wake of COVID-19
Zero-trust architecture (ZTA) is a concept that has existed since before the COVID-19 pandemic, but it is becoming more necessary and urgent with the recent increase in remote work. However, because ZTA is just an architectural concept and not something that can be achieved by installing a specific security solution, even many advanced companies are now facing barriers and issues related to its implementation, and are therefore still exploring the possibilities.
The Cyber IQ Survey results showed that perimeter defence measures such as VPNs were still the most commonly deployed measures for mobile devices. (55.3% of respondents selected ‘VPN’ as the security measure they use for mobile devices, the largest percentage of all options.)
Meanwhile, regarding security measures that respondents have already taken and are planning to take in the next three years, survey results showed that ZTA-related measures such as risk-based authentication, multi-factor authentication, and single sign-on (SSO) are likely to increase, suggesting that companies are willing to change their mindset. However, in reality, the shift to ZTA is difficult to achieve in a short period of time, and we therefore expect companies to proceed in an incremental manner with the maturation of the related product markets and migration of current assets.
The rise of ‘multiple extortion ransomware’
In recent years, a new type of cyberattack called ‘double extortion ransomware’ has become widespread. The term ‘double extortion’ refers to a ‘two-stage’ extortion scheme: Not only is data encrypted and a ransom demanded for its decryption, as with traditional ransomware attacks, but the data is also leaked if the ransom is not paid.
Some ransomware has also been found to use triple-stage extortion, sending a large amount of communication data to the victim organisation's website and interfering with the operation of the website if the ransom is not paid. In this way, the pressure on victims to pay the ransom is increasing, and ransomware attacks have become increasingly more malicious.
The maturing cyberattack business
As cyber threats continue to evolve to outsmart corporate countermeasures, the hurdles to launching an attach are becoming lower and lower, due to the maturation of the market for attack tools and know-how provided as a service. At the same time, companies must continue to pay close attention to internal threats such as internal fraud and inadvertent leaks, in addition to external threats. It is therefore crucial for companies to recognise that they are unfortunately facing a growing number of these threats and to continuously review their countermeasures.
Improving, but still insufficient, resilience
These survey results show that while many companies are willing to focus not only on protection but also on detection and recovery to enhance their resilience, they have not been involved in response and recovery. Despite the prevalence of the concept of cyber resilience, businesses still have a long way to go to realise it.
While companies are struggling to secure their resilience, cyber threats continue to expand. As mentioned in the above topics, there have been many reports of ransomware and other malware attacks entering the networks of other parties in the supply chain or remote workplaces, leading to security incidents. In addition to the office environment, the environments of production and research locations such as factories have also become digitalised, and those systems are now connected to each other by networks. This is why the intrusion of a cyber threat can lead directly to the disruption of an entire business and its operations, and why the damage caused by security incidents is becoming more and more serious.
In this survey, when asked how they were affected by security incidents that occurred in the past year, the percentages of respondents who answered, ‘Systems down’ and ‘Business impact’ were 22.5% and 19.8% respectively, along with ‘Data breach’ at 21.8%. Regarding ‘Business impact’, many respondents reported impacts directly related to business and operational continuity, such as ‘disruption of business, processes and services’ (26.9%) and ‘network strain’ (26.9%).
As attack methods are constantly changing, executives must understand the attackers' aims, determine what the threat is to their business, and make the final decision on budget allocation and countermeasures. Security personnel need to provide information that enables executives to understand the differences in attack targets and changes in threat trends, and to make decisions on how much and where to allocate the budget and what countermeasures to take.
The shift toward proactive security
Architectural changes such as cloud migration and the rise of supply chain risks have both expanded and blurred the areas which companies need to protect. Cyber attackers are tactically exploiting these new risks to conduct cyberattacks. Therefore, it is essential that companies collect and analyse both internal and external information, including information on the intentions and capabilities of cyber attackers, in order to avoid being caught off guard by an attack from an unexpected direction.
By collecting and analysing this information, it becomes possible to predict possible threats to the organisation with a high degree of accuracy and prepare for them. Performing such a series of activities in a near-real-time cycle is called ‘proactive security’. In order to achieve such security governance without being overwhelmed by daily risk assessment, it is important to define security management items as a common language across the organisation and to establish systems and processes for measurement, improvement, and reporting.
Specific actions to achieve proactive security
So what kind of efforts will companies need to take to achieve proactive security? In addition to their current efforts to develop and promote security response plans, companies will need to collect and analyse external factors related to cyber risks in order to acquire and strengthen capabilities to deal with urgent risks and to dynamically review their plans.
Traditionally, cyber risks have been recognised as IT system risks and were considered to be owned and managed by the information systems division. However, recent cyber risks are not only a risk to IT systems but also a management issue directly related to business continuity. Listed companies in particular are encouraged to disclose the status of their cyber security measures in their annual securities reports, and perceptions of cyber risks are starting to change.
However, even if data on cyber risks is collected, analysed, and reported at the management meeting, it will be difficult for companies to make effective decisions unless the correlation between cyber risks and their impact on business can be clearly explained. Therefore, companies need to examine key success factors (KSFs) for business continuity and identify in advance the factors that are affected by cyber risks. This will allow businesses to consider whether and to what extent any recognised cyber risks will affect their KSFs, and to make decisions based on these considerations.
The purpose of intelligence is to identify the impact of cyber risks on the key success factors (KSFs) of business operations and to support decision-making, which is not something that a third party can fully accomplish on behalf of the company. Therefore, it is essential for companies develop a process that is tailored to their own needs, while referring to basic frameworks such as the intelligence cycle.
In general, intelligence activities are conducted by intelligence agencies based on requests from decision makers. They are carried out through a series of activity cycles such as policy formulation, collection, assessment, analysis, and distribution and feedback. In terms of corporate activities, policy formulation means setting the objective that intelligence collection is to achieve. This objective, is the identification of cyber risks that could affect KSFs. To achieve this objective, it is also necessary to identify intelligence sources and evaluate the reliability of each source. Companies should then take the actions shown in the figure, in accordance with their newly formulated policy.
With the digitalisation of business, the number of key success factors (KSFs) affected by cyber risk continues to increase, and cyber-related issues are also becoming a larger part of decision-making.
Therefore, it can be argued that cyber risks need to be treated as a management agenda, and that of course management, represented by the chief information security officer (CISO), should lead those response activities.
Intelligence-related activities in particular require the collection and analysis of a wide range of intelligence, not only from a technical perspective, but also from the perspectives of laws, regulations, and social and industrial trends such as industry guidelines. Therefore, it is important to identify the KSFs that are related to cyber risks as a matter of common understanding throughout the organisation, and to establish a process for escalation to the relevant divisions in cases where comprehensive judgment is required, so that the intelligence that is collected and analysed can be put to effective use based on accurate knowledge of how to handle it.
Although the optimal structure will vary depending on the company, it is essential for all companies to strategically build an organisational structure that allows IT and business divisions to collaborate, for example by assigning cyber personnel to the business divisions or assigning cyber personnel within the IT division to be in charge of specific businesses.
A lot of information explains cyber threats from a technical viewpoint and provides warnings about measures to be taken. However, what executives want to know is not the methods and technical details of cyberattacks, but how much damage cyber threats may cause to their business continuity, credibility and intellectual property (IP), as well as how to respond. It is important for executives to understand the degree of negative impact that current cyber threats have on their businesses and what IP is being targeted so that they can take concrete countermeasures.
To read our full report on the results of the 2021 Cyber IQ Survey, please download the PDF file from the link below.
Table of contents
1. Trends in changes surrounding cybersecurity at Japanese companies
- Connections between digitised business and IT supply chains
- The acceleration of ‘zero trust’ in the wake of the COVID-19 pandemic
- The rise of ‘multiple extortion ransomware’
- The maturing cyberattack business
- Businesses are increasing resilience, but still have a long way to go
2. The shift to proactive security
Specific actions to achieve proactive security
- Identify KSFs of the business that could be affected by cyber risks
- Develop a cyber intelligence cycle that is appropriate for your organisation
- Build an organisational structure in which business and IT divisions can collaborate
Interviews with leading companies
3. The reality of Japanese corporate security in 2021
- Corporate outlooks on cybersecurity as viewed through the 2021 Cyber IQ Survey
About the 2021 Cyber IQ Survey
The 2021 Cyber IQ Survey was conducted among leaders and decision-makers of security organisations in companies with sales of 50 billion yen or more in a wide range of Japanese industry sectors, and received 262 responses.
This survey was conducted by the PwC Japan Group in June 2021.
{{filterContent.facetedTitle}}
{{contentList.dataService.numberHits}} {{contentList.dataService.numberHits == 1 ? 'result' : 'results'}}
{{contentList.loadingText}}
{{contentList.loadingText}}
