I recently had a discussion with Japanese business executives on cybersecurity challenges during which one of them asked me about the biggest difference between Japan and other countries regarding their approach to cybersecurity. I answered, “Each country and sector are different; but if I compare Japan and the United States, the Japanese tend to think cybersecurity is a technical problem, whereas the Americans tend to believe cybersecurity is a human issue, based on previous interactions and feedback from my peers and industry experts in the United States.”
This answer surprised him and brought home the point that cybersecurity touches upon various aspects of human nature and activities, rather than just technical problems. Only humans can do the cybersecurity risk assessment and management because this requires decision-making and resource allocation. People are essential for solving challenges around cybersecurity.
The IBM Security Services 2014 – Cyber Security Intelligence Index shows that more than 95 percent of the cyber incidents that IBM investigated occurred due to human errors, such as system misconfiguration and poor patch management. People are the weakest link in cybersecurity because every single person makes mistakes. That is why social engineering works to trick people into doing something they are not supposed to do, and employers encourage their employees not to open suspicious attachments or click URLs from unsolicited senders.
Of course, cybersecurity includes technical elements. Technology is crucial to address cybersecurity challenges because offerings like firewalls and endpoint protection are needed to prevent malicious actors from achieving their goals by cyber means. Technical knowledge is required to innovate, choose and use those products, as well as to analyze malware.
However, it is equally important to analyze and understand human factors behind cyberattacks and risks because these are the biggest trigger of cybersecurity incidents. Since today’s business environment cannot survive without IT, both IT and cybersecurity should be regarded as business enablers rather than cost centers. That is why the Japanese Ministry of Economy, Trade and Industry (METI) and Information-Technology Promotion Agency (IPA) pointed out in their Cybersecurity Guidelines for Business Leadership Ver 1.1 in December 2016, cyberattacks are an unavoidable business risk in today’s business environment, where IT is part of the infrastructure.
To manage risks, acceptance, avoidance, mitigation, or transfer is needed. If a cybersecurity risk is low or moderate, an organization can decide to accept and not take any cybersecurity action to mitigate it. If a potential cybersecurity risk seems to be unacceptable, the organization may decide to take an action to eliminate the basis of the risk, such as a specific activity or technology. If the organization has resources to shift risk liabilities and responsibilities to the others, who have better expertise, the organization can transfer the risk, such as cyber insurance. If the risk is not acceptable, avoidable, or transferrable, the organization should take cybersecurity approaches to reduce the risk, such as authentication, encryption, or firewall installation.
Investment in risk management is also needed. Yet, information technology (IT) was introduced to business operations mainly to cut costs. Because cybersecurity has traditionally been considered part of IT, it is challenging for companies to realize that it is an area to invest in as a business enabler.
In fact, IPA’s Survey of cyber risk management in companies in 2015 in June 2015 showed that less than 50 percent of even major Japanese companies assess their business risks. Only 49.2 percent of the business leadership of even major companies (their annual sales being over 1 billion yen) answered that they do business risk assessment. The ratio is 28.2 percent at medium-sized companies (their annual sales being between 100 million and 1 billion yen) and 14.9 percent at small companies (their annual sales being under 100 million yen).
Japanese companies are behind American and European companies in this regard. According to IPA’s survey about Chief Information Officers (CIO) and Chief Information Security Officers (CISO) in companies in 2017, 34.6 percent of Japanese companies said that risk visualization is challenging or insufficient. The ratio is higher in Japanese companies than in American (32.4%) or European companies (27.9%). Unless business risks are assessed or visualized, it is impossible for business leadership to determine how much in the way of resources to invest in to accept, avoid, mitigate, or transfer each of their business risks. Resources that are limited in quantity will be wasted.
An Indian folk tale about six blind men and an elephant is applicable to cybersecurity and business risk management. The six men touched different parts of an elephant and pictured the elephant is like a wall, snake, spear, huge fan, cow, or rope. None of them obtained a whole picture of the huge animal because they did not have complete information about it. Luckily, the animal they were touching was a gentle elephant. Were it a lion, touching would not have been a good idea.
What actions, then, should business executives, especially in Japan, take now?
- Review your business risks and understand what kinds of risks your organization currently faces.
- Talk to your CISO and his or her team to share cyber risk findings and decide on which actions to take, whether from the stance of acceptance, avoidance, mitigation, or transfer.
- Prioritize business risks that require immediate action to avoid, transfer, or mitigate them and decide on how much in the way of resources should be spent on each risk.
- Since C-suites need to balance between usability, security, and budgets, consider applying automation, such as defense and the integration of cyberthreat intelligence, to maximize efficiency and effectiveness.
- Review your business strategy and revise it to reflect the cyber risk findings to maximize business value for your organization, customers, and partners.
It is indispensable to have a whole picture of business risks to optimize the use of limited resources to manage them. Every organization needs to have good decision-making on business risk management, and only people can do it. This step is a great opportunity to increase your business value.
[Palo Alto Networks Research Center]