The Journal The Authority on Global Business in Japan

Technology raises businesses to new heights, but can also drop them hard. Recent attacks such as WannaCry and Erebus have wreaked havoc on businesses. The former infected 230,000 computers in 150 countries in one day, while the latter has South Korean web-hosting company Nayana reportedly agreeing to pay hackers $1 million after data on its 153 Linux-based servers was encrypted.

Pipeline K.K. CEO Allan Watanabe says these attacks illustrate how fragile and incomplete our cybersecurity is. “This particular attack illustrates how effective and important it is for all businesses and personal users to be aware of patches and vulnerabilities. Many corporations delay patching due to possible downtime for reboots and installations. This attack should show how critical patching is.”

Certainly, maintenance of software and hardware is critical to security, but much of the risk comes down to flesh and blood.

“Many see a firewall, antivirus, or an intrusion detection system as sufficient for their data security policies when, in fact, this is just a preliminary and necessary protection mechanism,” explained Watanabe.

“It’s always people,” said Ras Scollay, country manager and regional sales director at CenturyLink Japan. “You need effective processes and procedures in place from C-level executives down to every single employee. Everyone is looking for the silver bullet that can protect them from cyber threats, but the reality is there is no such thing. All security is porous and requires a multilayered approach.”

One of the most important layers is your staff. Nothing done on the tech side will protect you if staff aren’t aware of the threats and haven’t bought into your security policy.

“Strong passwords, software updates, and adherence to security policies are essential for good cyber hygiene, but are not enough to protect the whole organization,” explained John Kirch, regional director for North Asia at Darktrace Japan K.K. “All it takes is for one employee, network guest, or temporary contractor to click a malicious link or download an infectious attachment to put the company at risk.”

According to Watanabe, a lack of awareness and training is by far the most common chink in the armor. “In general, I find that best practices are non-existent for corporate users. Some are beginning to look at ways to provide information to their users, but there is a fundamental problem with the way they are informing users. For example, Japan is a country well known for using many external companies and contractors, many of which do not receive the same training as their corporate users. This poses a severe problem to corporate policies.

“Statistics have shown that implementing a simple training program can help improve overall security far more than adding new hardware or software.”

“Policies keep people accountable. Without a policy, nothing defines desired practices and procedures,” said Robin Tatam, director of security technologies at HelpSystems, a global security and systems management software developer based in Eden Prairie, Minn. “The benefit to the business is lower risk and the ability to assure best practices. Of course, a policy is only effective if it is shared, validated, and enforced.”

Tatam also warned that an outside threat will often manifest itself through the compromise and utilization of internal credentials, thus no user account should be given unrestricted and unmonitored privileges.

An organization with stringent password policies, tight control over personal devices, and the latest firewall and intrusion detection system may feel protected. But, again, the human element is difficult to account for. Criminals are becoming increasingly sophisticated in the art of social engineering.

“Verizon’s security report indicates staggering click-through rates in phishing emails as high as 30 percent,” revealed Tatam. “This remains a remarkably successful attack vector when we consider that most email marketers are excited by open rates of three to four percent.”

Scollay thinks this could be due to the increasing quality of the writing and design of these emails. “If you look closely, you can usually see it’s not legit, but they are getting much more realistic, meaning there’s a higher chance of someone falling for them.”

And it’s not just email. “Attackers are creating exact clones of popular websites, are using voice phishing to accumulate more data about the targets, and have ways to take over social media and other types of accounts to mimic a user,” warns Watanabe.

Kirch echoed this. “Cyber criminals impersonating other people or brands we recognize and trust consistently remains the most effective way of tricking both consumers and employees into taking inadvisable actions.”

Information overload is also a potential cause for lapses in judgment that help hackers gain information, according to Scollay. “A busy executive is slightly more likely to fall for a phishing attack on the phone.”

Tatam said that social engineering often plays on human nature, which moves people to be helpful and to do as instructed. “Communication often appears to be official and relevant, and can trick even the most seasoned computer user.”

He sees user willingness to take communication at face value as one of the key behaviors that companies must change through training.

“Most of us were introduced to phishing via questionable emails authored by obvious fraudsters. But when an official-looking email is received from a business that you have recently had a transaction with—or from your company CEO—the result is often different,” he said. “Something as simple as a well-intentioned attempt to unsubscribe from a junk email can be all that’s necessary to become compromised.”

Tatam also believes that better education is needed to help people manage demands via phone or email that come from an authoritative source. “Challenging the authenticity of seemingly official directives and communication should be combined with the same ability to challenge office visitors who are not clearly identified as such.”

Watanabe, who believes there should be a mechanism to reward or penalize staff based on their actions, also advises setting clear guidelines. “Users must learn the security policies and escalation procedures. What do they do if something occurs? Turn off the device? Call somebody? Email somebody? There are many choices, and users may decide to hide the incident or take it upon themselves to fix the problem. This can cause additional issues, depending on what has occurred.”

Having warned about impersonation, Kirch predicts a future in which telling fact from fiction will become even more difficult. “In the months and years to come, we expect to see a new generation of attacks emerge that use customized code powered by artificial intelligence (AI) to emulate the behaviors of specific users so accurately as to fool even skilled security personnel.”

Organizations need to prepare for fast-evolving, stealthy threats emerging from within, and pernicious attacks that cannot be detected at the border, he explained.

This calls for what Kirch terms an “immune system” approach to security.

“Our bodies are exposed to new bacteria and viruses every day. While our skin stops most from getting in, some will inevitably slip through and infect us. This is where the human immune system comes into play by identifying and killing dangerous pathogens,” he explained. “By modeling cyber defense on the human immune system, technologies based on probabilistic mathematics and machine learning can identify a ‘pattern of life’ for every user, device, and even an entire network. From this precise understanding of ‘self,’ AI can detect and defend against emerging cyber threats at their nascent stages, without the use of rules, signatures, or prior assumptions.”

But before we get to that next stage, we must guard against current threats and ensure that our defenses are the strongest they can be. The danger is evolving daily, so there’s no time to waste.

“As we move faster in a cyber world with the Internet of Things—connected this and that—there is a stronger need for appropriate cybersecurity measures to protect businesses from common attacks such as distributed denial-of-service (DDoS) attacks, malware, and ransomware,” said Watanabe.

He added that the much bigger need, however, is to protect against data leakage and corporate espionage. And that means getting the human part of your defenses running smartly and efficiently through proper education and training.

“Data is the foundation of all businesses,” Watanabe summed up. “And with most of it on servers, hard disks, and clouds, it is vital for businesses to look at the entire picture for their own cybersecurity framework.”

Christopher Bryan Jones is Editor-in-chief of The Journal. Originally from Birmingham, Alabama, he has lived in Japan since 1997.
Software and hardware is critical to security, but much of the risk comes down to flesh and blood.