Hacking Cyber: Securing Your Workplace in the Digital Era

The August webinar in the Future of Work series hosted by the British Chamber of Commerce in Japan (BCCJ) was cybersecurity. Entitled “Hacking Cyber: Securing Your Workplace in the Digital Era,” the event featured cyber experts who explored what organisations can do to protect themselves from cyberattacks and how they should respond if an attack occurs.

Kicking off the session was Darren Goff, director of trade and investment, Japan, and deputy trade commissioner, North East Asia, who outlined the UK government’s cyber sector activity, including with Japan.

The classification of cyberattacks as a Tier 1 national security threat and investment of £1.9bn to develop cybersecurity capability during the course of the UK’s National Security Strategy (2016–2021) are evidence of cybersecurity’s high priority for the UK government, according to Goff.

Since establishing a national cybersecurity centre in 2016, the government has been working with experts in industry and academia, to “drive innovation and develop skills and regulatory frameworks to keep our cyber-system and cyber-resilience world-class,” he said, noting that the UK has the largest cybersecurity sector in Europe with 1,400 specialist firms and 19 academic centres of excellence.

While striving to improve its cyber-expertise, the UK is “collaborating closely with international partners to build mutual cyber-resilience against global cyber-adversaries,” he added. The UK and Japan are natural partners in this work, given their “likeminded approach to technology and cybersecurity.” Pointing to the UK–Japan Comprehensive Economic Partnership Agreement as a solid framework on which to strengthen bilateral cyber-partnerships, he called on businesses in both countries to “play a vital role” by working together and sharing their expertise.

Being ready

John Noble CBE, non-executive director, NHS Digital, and senior executive advisor, Nihon Cyber Defence, addressed why cyberthreats are on the rise, what to do in the face of an attack and how to prepare ahead of time.

Although global digitalisation is a factor in the uptick in cyberattacks, Noble explained that the biggest factor is the adoption of ransomware as a service. Some groups are developing and making ransomware available on a leasing arrangement while others identify vulnerabilities in victims and sell it on to groups that carry out the attacks. Such operations “are truly international but also relatively secure” due to the affiliates’ trusted relationships with each other, which allow them to collaborate, he said.

Another factor is organisations “feeding the system” by paying the ransom, succumbing to pressure from the increasingly sophisticated approaches, such as disabling the organisation’s backup.

The answer, said Noble, is to be more stringent in cyber-hygiene: ensure software is up to date, have a multi-factor authentication system in place and segment your network so that the organisation is not compromised if one subsidiary suffers an attack. Backups should be offline, protected and tested. If testing isn’t possible the backup should be “tabletopped” at least. Senior management should be clear on their responsibilities in the case of an attack, be prepared to follow an incident management plan and have a business continuity plan.

Social media and ransomware

Mihoko Matsubara, chief cybersecurity strategist, NTT Corporation, noted that ransomware attacks and cyber-espionage on social media have risen during the pandemic. Pre-pandemic, 5% of people who received phishing or spear phishing emails clicked the attachment or link, but that ratio is now more than 40%. Matsubara attributed this trend to people’s reliance on digital platforms and a lack of awareness of cybersecurity best practices, pointing to a recent NTT Ltd. report showing only 43% of remote workers had received training as of summer 2020.

Both the UK and Japan have been facing significant attacks, she continued. In April, the UK government warned that some 10,000 Britons had been approached by foreign spies or organisational criminals on LinkedIn to access national or trade secrets. Japan, too, is wary of vulnerable people being targeted after an engineer handed over a trade secret related to smartphone technology to an overseas company following an approach on LinkedIn.

As many Japanese companies have been investing more in the global market in response to shrinking opportunities in greying Japan, global IT and security governance is becoming increasingly challenging. Some of the ransomware attacks on Japanese companies come from their subsidiaries abroad.

“We really need to raise awareness of cybersecurity among remote workers as well as business and government leaders, to enhance our cyber-defence and incident response capabilities.” she said, adding that 52% of companies globally don’t have any incident response plan, according to NTT Ltd.

Responding appropriately

Cartan McLaughlin, chief executive officer, Nihon Cyber Defence, pointed out that a ransomware attack can result in stress on management and severe business disruption. Its complexity and technical aspects, coupled with the difficulty of understanding its root causes, add to the challenge of triaging events as they unfold.

“Recovery time is mission critical to business operations,” he said, adding that organisations tend to be slow to respond to an attack due to fear, uncertainty, a lack of leadership or even “optimism bias.”

In McLaughlin’s experience, organisations that react well to an attack tend to involve the whole organisation, deliver effective communications, practice stakeholder management and maintain control. Cyberattack response plans tend to have been made, rehearsed and updated regularly. Bringing in a “critical friend” who has independent experience has also proved to be useful, as providing timely advice can take pressure off board members and help them make the right decisions.

After an attack, needs are twofold: to reduce the risk of another attack and to prepare for another attack. “Prepare a definitive account of the incident and evaluate the strengths and weaknesses of the response. Next, review the forensic site, identify the root causes of the attack and short-term measures required to block an attack,” he explained. “Also make a short to mid-term improvement plan and an effective resilience plan with responsibilities assigned to each person.”

Q&A

With organisations faced with the ongoing financial outlay of preventing and responding to cyberattacks, Moderator Takuji Okubo of the Digi-Tech Taskforce, BCCJ Executive Committee, asked how they can win the cyber arms race.

Noble pointed out that governments could do more by putting pressure on countries to act against some cyber-criminal groups, while large technology companies could build products that are secure by design. Ultimately, though, he said that organisations, particularly those that do business online, need to get the right balance of “usability and security.”

Matsubara suggested companies establish a risk management committee, consisting of the C-suite and leaders in cybersecurity, IT, HR, legal and risk management, to update a list of the top 10 risks facing their organisation, including cyberattacks, at least quarterly. Since an organisation has limited resources, this list would help them prioritise how to allocate budget to the top 10 risks at any one time.

For SMEs, the top target of cyberattacks, Noble suggested focusing on having multifactor authentication, protecting the administrator who holds the passwords, carrying out software updates and good cyber hygiene and making an offline backup.

McLaughlin suggested SMEs also check out Nihon Cyber Defence’s ransomware portal for help and advice, in English and Japanese.

In closing, the panelists called for more young people and women to join the cybersecurity sector to build strong capabilities in the future. The UK government is focused on bringing in more diverse talent, while Japan’s Ministry of Economy, Trade and Industry recently declared a 200,000-person shortfall in cybersecurity professionals that needs to be filled for the benefit of the country’s public and corporate sectors.