Japan’s ‘myth of security’ raises cyber attack risk

Every April, as university graduates enter Japan’s workforce and log into the IT networks of Japanese businesses for the first time, the government runs a campaign pushing everyone to create a strong password.

But, in 2022, a global survey by cyber security group NordPass found that Japan’s favourite password remained “123456”, which is hackable in an average of one second.

Japan is far from alone in this complacency (the US and Britain’s favourite passwords include “password”), or in the struggle of companies and governments to protect data — one of the most financially critical resources of the early 21st century — more assiduously.

Companies around the world are repeatedly falling victim to ransomware cyber attacks and other criminality, where the door was opened by some foible of human behaviour, usually on the part of an otherwise reliable employee. The big question is whether Japan’s current approach is sustainable.

Everywhere, the corporate mismatch of confidence and experience is stark. In its 2023 report on ransomware attacks in 30 countries, including Japan, security group Fortinet found that 80 per cent of respondents were at least “very” concerned about the threat and 78 per cent described themselves as “very” or more prepared to thwart a breach. Yet 50 per cent of the respondents said their organisations had fallen victim to such an attack.

In Japan, say cyber security experts, the problem has distinctive features. For some time, Japanese companies felt cushioned by anzen shinwa, or the “myth of security” — the misapprehension that language, insularity and other factors keep potential attackers at bay.

Built into that mythology, say experts at consultancy Nihon Cyber Defence, is a tendency for senior managers to treat cyber security differently to other business risks. They will often outsource cyber risk to experts and assume that is enough from a management point of view. Then, in the wake of an attack, they will engage lawyers, along with ransom negotiators and advisers.

A more holistic approach, which would engage those advisers as a preparatory measure, and treat cyber risk on a par with other core business areas such as research and development, or recruitment, has yet to be widely adopted by Japan’s broad swath of midsized companies. This could potentially offer a new role for in-house lawyers in Japan.

Japanese companies felt cushioned by anzen shinwa, or the “myth of security” — the misapprehension that language, insularity and other factors keep potential attackers at bay

Also, circumstance is inflating the threat. For cyber criminals pursuing data with a purely financial motive, the traditional corporate targets in the US and Europe have strengthened their fortifications. But Japan represents a shooting gallery of tempting prizes: a large number of financially successful companies that may not have experienced an attack before.

As attacks on Japanese companies have increased, both the targets and the criminals have adapted. Larger companies have paid for top-notch cyber protection and built reliable strongholds of data back-up, so the ransomware gangs have turned their sights on smaller businesses. Other victims are institutional targets, such as small regional hospitals, which have a low expectation of attack, large amounts of data, and relatively unsophisticated protections.

In the face of this onslaught, however, Japanese companies appear to stand apart from their peers elsewhere by being less ready to bow to ransomware demands. Mihoko Matsubara, chief cyber security strategist at Japanese telecoms business NTT, points to a 2022 report by US cyber security group Proofpoint, which found that fewer Japanese companies pay up. While a global average of about 58 per cent of corporate ransomware victims paid the demanded fee, in Japan the figure was 20 per cent in 2021.

There are several reasons for that low rate, says Matsubara, whose role is unusual in corporate Japan. First, companies look at evidence from around the world that indicates only 8 per cent of companies that paid a ransom ever got 100 per cent of their data back, and that 80 per cent of companies that paid got hit again. These are not persuasive arguments to pay when faced with demands that can run to millions of dollars.

But also, she notes, many smaller Japanese companies — despite industry-driven digitisation and government campaigns — maintain a large portion of their data in hard copy. It may be painful, but they can rebuild digital databases using the paper-based records for which they are often criticised.

This may not last. In the end, Japan’s vulnerability to cyber attack will be determined by an issue already affecting the entire economy: its shrinking population and increasing shortage of expertise. The shortfall of cyber security experts in Japan, says Matsubara, runs into thousands, and it is far from clear that there is a supply of new engineers for corporate Japan to look forward to.