The Journal The Authority on Global Business in Japan

The sheer magnitude of the threat posed by cyberattacks aimed at companies, financial institutions, government agencies, infrastructure, and individuals around the world is difficult to comprehend. And, all too often, the scale of a breach and the damage done only becomes fully apparent much later.

The threat to modern-day technology is so serious, believes Robin Tatam, director of security technology for Minnesota-based software developer HelpSystems LLC, that it “represents the most clear and present danger that humans are ever likely to witness.”

Tatam insists that his statement is not hyperbole.

“An ever-increasing reliance on technology in all aspects of our personal and professional lives means that infiltration allows unauthorized access to our personal data, homes, cars, conversations, workplaces, and even our country’s infrastructure,” he told The ACCJ Journal. “No other single threat can be so subtle and yet also so bold. As long as there are human beings living on Earth, someone somewhere will seek ways to benefit and profit at the expense and misfortune of others.”

Corporate espionage can give a rival company a massive financial advantage. Interference by one nation in the politics of another can swing elections. And the 2001 terrorist attack on the World Trade Center in New York City “could pale in comparison to a large-scale attack on power grids or water supplies,” he warns.

But, a defense can be mounted.

“Risk can often be reduced significantly with the deployment of simple measures, but—much like traditional insurance—their value is often under-appreciated until it’s too late and the risk has been realized,” Tatam points out.

“While cyberattacks and data breaches have become frighteningly common, they are not necessarily inevitable. We have to be diligent in acknowledging and assessing our vulnerabilities and appropriating the necessary resources to counteract them. This isn’t free. It certainly isn’t easy. The alternative, however, is far worse.”

Examples of organizations that have failed to heed the warnings and subsequently paid the price are numerous and span all business sectors. In November, the Marriott International Inc. hotel chain admitted one of the largest data breaches on record. The personal information—including credit card numbers and passport details—of about 500 million Starwood properties’ customers were leaked between 2014 and 2018. The discovery was made in September.

At least three class-action lawsuits have already been launched against the company, and the damage to its reputation could take years to repair.

In July 2018, the government of Japan unveiled its new cybersecurity strategy in a paper that underlines the critical importance of fintech, Big Data, the Internet of Things, artificial intelligence, and other technological advances, as well as the associated risks.

Underlining the need for a “free, fair, and secure cyberspace” that contributes to “improving socioeconomic vitality and sustainable development”—as well as a safe, secure society and global peace and stability—the strategy is based on three points:

Mission assurances for service providers

Risk management

Participation, coordination, and collaboration

The policy calls for advancing cybersecurity as a driver of value creation, raising executive awareness, stimulating investment in cybersecurity, and supporting innovation in the cybersecurity business. And, it warns, the importance of these measures will only increase in the run-up to the Tokyo 2020 Olympic and Paralympic Games.

IBM Japan’s Security Operations Center

Masatsugu Koketsu, vice president of security for IBM Japan, Ltd., says the policy is well thought out—particularly because of the onus it puts on companies to do more to protect themselves.

“Anyone can make a mistake and introduce a virus into a computer,” he said. “The password can be too simple or something can be downloaded when it shouldn’t be. But this just shows how important it is to have multiple layers of defense.”

Typical antivirus software, Koketsu said, can only detect about 40 percent of infections because viruses are evolving rapidly.

An estimated 300,000 pieces of malware are created every day, and it is remarkably easy to access the dark web and find a template for malicious code, he added.

“I think the Japanese government’s policy is very good, but they still need to do more to encourage companies to pay attention to this problem. Big companies are typically better protected because they can invest in defenses, but smaller ones find it more difficult. It is also important that companies share information on threats frequently.

“Too many organizations still see security as a cost. They need to see it as part of the digital transformation of business. We generally see that companies which make the biggest investment in security are also the ones that are thinking most carefully about that digital transformation.”

Asked about his biggest cybersecurity fear, Koketsu did not hesitate.

“My biggest worry would be an attack on our social infra­structure: road traffic, networked vehicles, a new generation of internet-connected cars, road, railway and airport signaling, the power grid, and other infrastructure connected through the internet,” he said. “That would be extremely dangerous.”

According to a 2017 study by New York-based risk consultancy Kroll International Inc., 86 percent of companies it asked in the Asia–Pacific region said they had been the target of a cyber hacking attack in the previous month. The most common attacks use virus or worm infections to exploit loopholes in internet-facing systems, such as websites or email, or spear-fishing, an attack that uses email to trick users into turning over personal information or access credentials.

It is worth remembering that attacks can also come through employees or vendors.

One obvious area of major concern is healthcare, believes Eiji Sasahara, chair of the American Chamber of Commerce in Japan (ACCJ) Digital Health Subcommittee. According to the US Department of Health and Human Services, cases of “unauthorized access/disclosure” and “hacking/IT incidents” comprise the majority of personal data breaches in the US healthcare sector. The fine for a company that falls victim to an attack resulting in a data breach is $1.5 million, underlining the importance of protecting data in the healthcare space.

“It is possible that insurance will cover the financial loss resulting from this kind of incident,” Sasahara said. “But a far  bigger challenge is to reverse the reputational damage in the short term.”

In September, the administration of US President Donald Trump updated the national cybersecurity strategy in an effort to enhance cross-agency and cross-sector cybersecurity information sharing and analysis. Sasahara said it is essential that the Japanese government catch up with the United States in this area as soon as possible.

“There have been a number of enhancements in the healthcare sector in the past year or so. Firewall intrusion detection is getting better and log-data management tools are making things easier. Still, we need to do a better job of securing the management of data through its lifecycle using a risk-based approach,” he said. “But that is difficult, because there is a serious shortage of cybersecurity profes­sionals inside the central and local governments.”

John Carlson, chair of the ACCJ Healthcare Committee, agrees that the primary concern in the health sector is the confidentiality and integrity of personal records.

“While both are important, integrity is often overlooked,” he said. “Consider how important personal health data is to determine a patient’s care. Data integrity protects the patient from misdiagnosis and unneeded treatment, and ensures that healthcare providers make the most appropriate clinical decision.

“Some may argue that, in health, integrity is even more important than confidentiality. The reality is that all companies—whether small or large, financial services or not—are at risk and must have a comprehensive cybersecurity strategy in place.”

Like Japan and the United States, the European Union has taken steps to protect data. The General Data Protection Regulation (GDPR), which took effect on May 25, 2018, includes the onerous requirement that any data breach be reported to regulators within 72 hours of being identified. Penalties for failure to do so are steep: up to four percent of the company’s annual global revenue. Many believe that the Marriott breach would not have come to light so soon after discovery if not for GDPR.

HelpSystems’ Tatam said the number of companies and organizations that have fallen victim to criminal activity “is far more expansive than most people realize,” and the assailants’ evolving tactics mean we must all constantly be on our toes.

“We hear news of the next super-hack or mega-breach on occasion, but anything less seems to go largely unnoticed,” he added. “Of course, the bar on what constitutes ‘biggest’ is continually rising, making old news out of what would have been bold headlines just a few years ago.

May 2017’s WannaCry ransomware attack, which encrypted data on more than 200,000 computers in 150 countries and demanded payment in exchange for the key, certainly raised public and corporate awareness of this particular tactic and sent chills through everyone due to the speed at which it spread globally.

But cyberattacks tend to come in waves, Tatam said.

“After heightened malware activity in 2017, we have seen far less in 2018. Does that mean we have fixed the malware issue? Have we closed the door permanently on that particular vector? Of course not. It’s simply a lull as criminals shift their attention to something deemed shinier. Some think that quest is mining of cryptocurrency.”

And, he warns, they will inevitably return.

“Risks need to be constantly reevaluated, as those who wish to attack us and exploit our systems are incredibly resourceful and creative. Gone are the days of juvenile mischief carried out by those excited by the challenge of facing a firewall.

“While there are trace elements of that, we must now be concerned with highly funded organizations that are skilled and motivated. Policies should be established and reviewed at least annually to determine if a company’s security infrastructure is in line with the current use of technology and evolving risks.”

Julian Ryall is Japan correspondent for The Daily Telegraph.