A spate of high-profile cybercrimes and data leaks in recent months has left companies wondering if they will be next. They worry about the safety of their computer networks as hackers devise new ways to penetrate traditional defenses.
Companies are spending more on protecting their information but are also dragging their heels in taking radical action.
“Maybe 10 years ago, you could be safe and secure if you had security software installed on your computer,” said Motohiro Nakanishi, an IT security researcher at the government-backed Information-technology Promotion Agency (IPA). “The situation has changed dramatically since then.”
Japanese firms have been especially slow to adopt advanced security protection, said Michihiro Adachi, a general manager of the strategy section at IT security provider NRI SecureTechnologies.
Another issue is a lack of IT security specialists, Adachi said. This is partly because 69.8 percent of companies in 2014 were not offering serious career prospects for IT security professionals, he said.
But many companies are now at least aware of the importance of information security.
“In my 12 years of experience as an IT security consultant, I can say I have never had as busy a year as last year,” Adachi said. He attributes this to the sheer volume of headline-making breaches that occurred in 2014.
For instance, the assault on Sony Pictures Entertainment in November showed how vulnerable companies are to hackers. The attack, purportedly by North Korea, resulted in the theft of highly private corporate material, such as the screenplay for an unreleased James Bond movie and sensitive personal data, including the health records of employees and their families.
Spooked by the potential costs of a breach, a growing number of companies are deciding to spend more on cybersecurity in fiscal 2015, Adachi said.
According to NRI SecureTechnologies’ annual information security report last year, 31.4 percent of companies said they plan to boost spending on IT security in fiscal 2015, the sharpest rise in six years, by an average 14.2 percent. The survey comprised responses from 660 companies across a range of industries.
But as awareness evolves, so does the skill of attackers. Emails containing viruses are often disguised as routine business correspondence that ring no alarm bells. It is getting harder to screen all such incoming email, said IPA’s chief adviser for strategic planning, Ayumi Shiraishi.
The current trend among attackers is what is called a “targeted threat,” she said. In this, attackers aim to steal information from a particular target for their own benefit.
A typical attacker will use email to contact an employee within a target organization with an apparently ordinary email, for example one containing a mundane business question. At first glance, the email may appear to come from a familiar address. Once an attached file is opened or a link to a website is clicked, the employee’s computer will be infected with a virus that allows hackers to access it remotely.
Then there is the so-called “conversation type” attack, and this one is particularly difficult to prevent.
In this, the attacker develops a kind of rapport with the target. For instance, someone in a company’s personnel department receives an email from an apparent job seeker asking about the hiring process. The hacker sent it merely to confirm whether the email address is actively used. Once the staffer replies, the hacker sends a resume file that needs to be clicked to open, and it contains a virus.
These attacks are hard to spot. “In the past, people could easily recognize (the attackers) were fake, thanks to their broken Japanese,” Shiraishi said. “But recently their Japanese is getting so sophisticated that people are more likely to open (the email) as a part of routine work.”
Because hackers can easily disguise where they come from, it is meaningless to try to identify them, Shiraishi said. Data shows countries like China and the United States are among the top host countries for attackers, but they are also countries with large numbers of unprotected computers, which hackers use to hide their tracks, she said.
Although it is difficult to trace what hackers do with stolen data, Shiraishi said corporate espionage is probably a prime motive, given the value of Japan’s high-tech information. Frequent targets are organizations such as Mitsubishi Heavy Industries Ltd. and the Japan Aerospace Exploration Agency, better known as JAXA.
There is no technological silver bullet to prevent cyberattacks because perpetrators will always find ways to get around protections, Nakanishi said.
What is needed is protection to control the amount of damage that may result from a breach, he said.
One idea is what is called “defense in depth,” a term deriving from a military strategy to build a system that delays an opponent’s progress. Like that military concept, the cybersecurity strategy uses multiple layers of protection and compartmentalization to minimize the harm done in a breach.
“It’s like constructing an apartment building, which consists of multiple rooms with all of them individually locked up, instead of a house where you can access all rooms once the lock on the main door is broken,” Shiraishi said.
It involves, for instance, building multiple computer networks within one organization so that if one is compromised the others remain secure.
But whether to introduce these systems depends on the company’s size and financial power, experts said.
They also said countermeasures are more important for smaller organizations, which lack the financial means to adopt large-scale measures. Moreover, these companies tend to be the targets if they have a relationship with major companies that deal with highly confidential data.