(This blog post is also available in Japanese.)
In August 2016, the Japanese National Center of Incident Readiness and Strategy for Cybersecurity (NISC) published a new document, Cybersecurity Approach for Business Management (this is a Japanese link), targeted at major companies as well as small and medium-sized businesses (SMBs). The NISC document follows up on Japan’s September 2015 Cybersecurity Strategy, which encourages business management to be cybersecurity-minded and invest in the same, and also the Cybersecurity Guidelines for Business Leadership Version 1.0 issued by the Ministry of Economy, Trade and Industry (METI) and the Information-Technology Promotion Agency (IPA), which we profiled in our May 2016 blog post.
While the METI/IPA guidelines are aimed squarely at business executives of major and medium-sized companies, the new NISC document fills an important need by targeting small businesses. In Japan, 99.7 percent of companies are small and medium-sized businesses (SMBs), employing 69.7 percent of Japanese workers (Japan generally defines SMBs as businesses with fewer than 300 employees). In Japan, like elsewhere, more and more SMBs are reliant on information technology (IT). According to the METI White Paper on SMBs in 2013, 73 percent of medium-sized and 40 percent of small companies had their own website in 2007, rising to 80 percent and 46 percent in 2012, respectively. Although Japanese SMBs are aware that IT utilization can help them streamline their business operations, cut costs, and increase sales, they lack IT manpower, let alone cybersecurity specialists. Usually, the head of the company or family members take care of IT needs, due to limited resources.
But SMBs are becoming more vulnerable. As major companies have enhanced their security, attackers have ramped up targeting of SMBs, who often are short of resources even to detect breaches. A March 2016 IPA report on SMB information security analyzed responses from nearly 4,000 SMB representatives in November 2015. According to the IPA survey:
- SMBs that use no information security product or service:
- 25% of small businesses with fewer than five employees
- 15% of SMBs with fewer than 100 employees
- 8% of SMBs with 101–300 employees
- SMBs that have no point of contact to consult about cybersecurity issues:
- 72% of small businesses with fewer than five employees
- 38% of SMBs with fewer than 100 employees
- 30% of SMBs with 101–300 employees
- SMBs that have no cybersecurity educational program for their employees:
- 81% of small businesses with fewer than five employees
- 52% of SMBs with fewer than 100 employees
- 40% of SMBs with 101–300 employees
This is alarming to the health of the Japanese economy and national defense as well as Japan’s trade partners. Japan’s economic strength and major companies are reliant on Japanese SMBs, which have high technical competence and provide parts for precision machines and metal-processing. Thus, the cybersecurity of Japan’s SMBs is crucial for Japan’s economy and both national and international security.
The NISC Cybersecurity Approach was issued based on a Working Group for Security-Minded Business Management, formed by NISC in December 2015, that included experts from academia, industry and law to explain how Japanese companies can integrate cybersecurity into their business strategies. The NISC document complements the METI/IPA Cybersecurity Guidelines by addressing how SMBs can seek cybersecurity effectively. The Working Group, aware that SMBs’ limited resources make it difficult to adopt sophisticated security products or solutions, suggests SMBs use cloud-based security services and also consider cyber insurance. The Working Group also proposes the creation of local “consultation desks” and seminars targeting SMBs and that companies and business partners in the same sector should work together, such as by sharing cybersecurity best practices.
The NISC Approach is not the only Japanese government effort to encourage SMBs to take cybersecurity more seriously. In 2015, the Japanese government revised the 2003 Personal Information Protection Act to remove an exception for SMBs holding fewer than 5,000 pieces of personal information to protect and prevent breaches of personal information. The Act’s revision was specifically timed to coincide with the January 2016 introduction of “My Number,” a new personal identification system for Social Security and taxation information, which has resulted in SMBs (and all companies) holding more personal information on residents in Japan. Even Japan’s Tourism Agency is getting involved—immediately after JTB Corp., the largest travel agency in Japan, lost 7.93 million pieces of personal customer information due to a spear phishing attack in June 2016, the Japan Tourism Agency established the Advisory Committee to Address Breaches in the Tourism Sector. Its July 2016 interim report encourages travel agencies to take a number of steps, with specific recommendations for SMBs. These include using cloud-based security services and purchasing cyber insurance; the report further suggests that a trade association provide consultation services, as well as a CSIRT function, for SMBs throughout the sector.
Of course, budgetary constraints will remain the biggest stumbling block for SMBs to invest in cybersecurity. It is unclear how much financial support the government will provide for SMBs in these efforts it is suggesting, if at all. For larger SMBs with larger budgets, perhaps cloud-based, automated cybersecurity services can cut costs and increase efficiency. Nonetheless, NISC’s Approach and the other activities profiled in this blog showcase some important efforts Japan is making to help such an essential part of the country’s economy—small firms—be more secure. Many governments globally have the same goal. For example, the U.S. Small Business Administration has cybersecurity tools and resources specifically targeted at small companies. Japan’s activities are worthy of note and consideration.
This is the fourth in a series of blogs co-authored by Mihoko Matsubara and Danielle Kriz aimed at introducing Japan’s cybersecurity efforts and their significance to a global audience, including governments, global industry, and other thought leaders. Subsequent blogs are expected to cover additional thoughts on the METI/IPA Cybersecurity Guidelines, Japan’s role in global cybersecurity capacity-building, the cybersecurity ramifications of planning for the Tokyo Olympic Games 2020, and other topics.