William Saito – “Three Common Trends in the IT Business” (Especially Cyber Security Risk)

On January 20 in Davos, Switzerland, US-based consulting firm PricewaterhouseCoopers released the findings of its 18th annual global CEO survey, A marketplace without boundaries? Responding to disruption, which surveyed 1,322 CEOs in 77 countries. In the survey, the percentage of CEOs who expressed concern over cyber threats showed a considerable increase, from 48 percent in 2014 to 61 percent in 2015.

Behind this rise were three cyber attacks that occurred between the end of 2013 and 2014 and which, I believe, had a major impact on the CEOs’ concerns. The first of the attacks, in November 2013, involved the hacking of Target Corporation, the fifth-largest retail chain in the US, resulting in a huge volume of customer data being revealed. Disclosure of the breach caused the value of [Target’s] shares to decline, and trust in the company to be undermined.

In May 2014, the company’s CEO was dismissed, to take responsibility for major losses. Instead of the CIO or [the chief security officer (CSO)], the executives responsible for cyber security, it was the man at the top who was fired, a move that may have made numerous other CEOs feel threatened.

In August 2014, JPMorgan Chase & Co, which reportedly budgets the equivalent of ¥45 billion per year for cyber security, was hit by a cyber attack. This points to the difficulty of guarding against such attacks, even with such enormous outlays, and is a painful reminder of a passage in one of my previous columns [in Diamond online]:

“Even when security functions appear robust, there is definitely a means to get past them, and unfortunately no perfect countermeasures exist to prevent hackers from breaking in. All one can really say is that there are two kinds of companies in the world: those with concerns over getting hacked, and those that are not concerned.”

At the end of 2014, the Sony Pictures Entertainment network was the target of a cyber attack. Its Twitter account was hijacked and data was leaked, resulting in a storm of criticism and disapproval.

These incidents, however, are merely a prelude. This year, I won’t be surprised if a publicly traded company is driven into insolvency as a result of a cyber attack. And because Japanese companies tend to be more lax in their crisis management, compared with companies in Europe and the US, perhaps it will be one of them that falls victim.

In addition, security countermeasures are a necessity across all business functions, including supply chain management. This is all the more reason for top administrators at companies to embrace cyber security. In the US, more companies are placing executives in charge of cyber security—as CSOs or chief risk officers—under a CEO, with security measures involving all departments, including general affairs, legal, and marketing departments.

To avoid the various risks, one of a CSO’s tasks is to obtain the most current data concerning cyber attacks, and have the general affairs division conduct staff training.

As new methods of cyber mischief are constantly popping up, security measures need to be regularly updated. These efforts must be made to include not only a company’s head office but also its affiliated firms, clients, and so on, that make up the supply chain. Since hackers always probe the weakest links in security when they attack, they will shift their efforts to [attack] weaker measures at a company’s clients or partner firms when major firms implement robust security precautions.

In the aforementioned case of Target, for example, the hacker obtained access via one of the retailer’s clients, an air conditioning company. From this, then, you can understand the importance of bringing affiliated firms under the security umbrella.

Cyber security, by extension, also encompasses company-wide crisis management. Once a nasty rumor is tweeted and circulated by the so-called super-connectors of industry, it can become the spark that, figuratively, sets the prairie ablaze.

As implied by the Japanese expression, “Rumors spread by people (have a life of only) 75 days,” there was a time not so long ago when things would eventually peter out of their own accord. Unfortunately, however, the Internet does not forget, and such stains become virtually permanent, making it essential to nip problems in the bud.

The debut, in January 2016, of Japan’s social security and tax identity system called My Number will require that security measures be built from the ground up. The system’s adoption will require companies to make additional investments in their systems, to ensure even more stringent safeguards for the management of individual data.

By aiming not only to prevent data leaks, but also to boost competitiveness, business organizations can expect to hit two birds with one stone. The “safety, assurance and trust” that come with comprehensive security will become a major asset for businesses in the future.

I also suppose the day may not be far off when investors, likewise, consider whether corporate management teams maintain awareness of cyber security as a key criteria for selecting companies in which to invest.

Full article:

The Board Director Training Institute (BDTI) is a "public interest" nonprofit in Japan dedicated to training about directorship, corporate governance, and related management techniques. It is certified by the Japanese government to conduct these activities as a regulated nonprofit. Read a summary about BDTI here, and see a menu of its services for both corporations and investors here.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.