Cybersecurity

What it is and the value it drives

Cybersecurity is the protection of networks, computers, programs, and data from unintended or unauthorized access, change, or destruction. Failure to consider it as a primary risk is becoming an increasingly costly mistake: in 2019, individual data breaches cost an average $3.9 million, for an estimated total damage of $4 trillion to businesses worldwide.

A conceptual shift "from the server room to the board room" is happening along with the realization that cyber risk can be reduced, but rarely eliminated, much like fraud in banking. These twin trends are shaping the way businesses manage and reduce their risk from "cyber-attacks".

Cyberattacks may be conducted by or against individual, industrial, or state actors, for the purpose of financial gain, espionage, or terror, and may result in compromised business continuity, added financial burdens, reputational damage, legal consequences, and regulatory fines.

The lifecycle of a cyberattack consists of several phases: reconnaissance, when adversaries plan their method of attack by identifying weaknesses; weaponization and delivery, when attackers determine which methods to use to deliver malicious software; exploitation and installation, when attackers deploy a technique to gain and maintain access into an organization; finally, execution, when the malicious actor reaches the target data and completes the attack plan.

It should be emphasized that anyone can be victim of a cyberattack, not only high-profile targets: in 2017, the "NotPetya" virus, deployed as part of the Russia-Ukraine conflict, paralyzed worldwide businesses well beyond its intended target, causing economic damage of $10 billion in just a few hours. Shipping company Maersk suffered a hit worth $300 million as its entire supply chain was disrupted.

In the age of digital payments, data theft can lead to monetary theft: in September 2020, NTT DOCOMO reported a total theft of ¥25 million from its e-payment service, in over 100 incidents. Data of strategic importance is also a target for theft: in May 2020, it emerged that a cyberattack against Mitsubishi Electric in 2019 resulted in the potential theft of defense data. Data breaches affect companies globally, too: in 2018, credit card details of almost 400,000 British Airways customers were stolen, resulting in a General Data Protection Regulation (GDPR) fine of about $27 million.

Stolen data may even be kept for ransom, where failure to pay could translate into permanent data loss: global damage from “ransomware” is predicted to reach $20 billion by 2021. In 2020, Japanese game maker CAPCOM suffered a ransomware attack resulting in the potential loss of 350,000 records of customer and business data. In the same year, the first case of a death caused by ransomware occurred: a cyberattack had crippled a German hospital's systems, and a critical patient was not able to receive treatment in time.

Cybersecurity's core value, naturally, is the protection of digital and connected physical assets, for enterprises and governments. A thorough cyber risk strategy can provide defense against data destruction, system degradation, and ransoms, as well as prevent reputational damage from data breaches. Moreover, applied to R&D and corporate strategy, it can prevent competitive disadvantages resulting from the theft of intellectual property or trade secrets.

In addition to providing threat detection, protection, and resolution, modern cybersecurity can present companies with a realistic threat model and help them account for the financial impact of cyber risk up front, rather than as an unforeseen financial loss.

Where it is today

The traditional attitude to cybersecurity among companies and consumers can be likened to protecting a treasure by placing it in a castle and surrounding it with a moat: a predefined set of measures that, once in place, guarantee protection for a specific asset. In practice, this has resulted in a perimeter-based approach and a strong focus on "protection" through layered technologies, such as antivirus software, firewalls, identity management, and encryption. However, this focus on a onetime capital investment for protection reveals a significant blind spot: no threat model can successfully prevent every attack, and failure to identify incidents can be a costly oversight. Because of this, it took companies an average of 280 days in 2020 to identify (i.e., mean time to detect, or MTTD) and contain (i.e., mean time to recover, or MTTR) a breach. By the time of discovery, the damage is often already done.

Under the risk-based approach that is now becoming prevalent, the goal is no longer to attempt to eliminate risk altogether: rather, understanding that a percentage of attacks will invariably succeed, the goal is to minimize this percentage and reach a predictable cost of remediation, making cyber risk a controllable and measurable business cost. In practice, this translates to expanding the scope of a cyberattack, and putting solutions in place for all phases of it: identification, protection, detection, response, and recovery, as laid out in the standard Cybersecurity Framework established by NIST (National Institute of Standards and Technology, under the US Department of Commerce). Embracing this holistic view of cyber-risk enables companies to minimize the financial and reputation damage from attacks, and attain MTTDs and MTTRs in single-digit days.

Encouraged by the growing impact of cybercrimes and this renewed perspective, cybersecurity spending has been growing at an annual rate of 10% since 2017, reaching $41 billion globally in 2020, $1 billion of which was in Japan. Spending was concentrated in the finance, manufacturing, public, retail, and healthcare sectors, which present higher cyber risk exposure and stricter regulatory requirements.

Within the cyber-service ecosystem, three kinds of players can be identified: general IT providers, diversified security players, and pure security players.

The first category includes companies offering software services across the whole "stack", such as cloud infrastructure, operating systems, networks, and devices. Players like IBM, Microsoft, and HP often include cybersecurity features as an integral part of their service portfolios. As cybersecurity is adjacent to telecommunications, players such as NTT are also developing comprehensive security offerings.

In the second category are established players offering security-focused solutions covering multiple segments of the stack. For example, Broadcom, and CrowdStrike provide services from endpoint security (e.g., antiviruses), to user identity management, to cloud infrastructure monitoring. Endpoint security is becoming an increasingly relevant dimension, especially as remote working leads to increased numbers of users connected outside protected corporate networks. In such cases, VPNs (Virtual Private Networks) permit employees to access enterprise resources remotely with the same level of cybersecurity, without exposing themselves to data theft on the public internet.

Another example of an integrated security player, companies like Cisco and Palo Alto Networks provide a full suite of cybersecurity solutions from network security and cloud security to overarching security operations: network security is an organization’s strategy and provisions for ensuring the security of its assets and all network traffic, by taking physical and software preventive measures to protect the network from unauthorized access; cloud security refers to technologies and policies deployed to protect data, applications, and infrastructure hosted in the cloud, a crucial endeavor as organizations rely more on cloud-based services and rapidly embrace remote work, all while facing new compliance regulations and privacy laws that mandate stringent data security and privacy.

Finally, pure players focus on so-called "point solutions" which provide security on one or few segments of the stack or focus on one of the phases of a cyberattack. For example, Cloudflare or Fortinet provide cloud and network security, while Varonis or Darktrace focus on threat detection, both from internal and external actors.

How the technology will continue to evolve

Advances in cybersecurity are fueled by progress in computer science and electronic engineering as a whole, and several promising technological developments are likely to find commercial use across segments of the IT stack.

"Zero Trust" is becoming prevalent as a cybersecurity approach that can be applied across all layers of an IT infrastructure, driven by a changing digital infrastructure with cloud and remote working and a changing threat landscape. A typical error is to assume that everything within a "firewall" (i.e., a set of protections to block unauthorized actors from accessing a private system) is authorized and safe: this mindset does not account for malicious internal actors (e.g., employees), and assumes a perfect firewall to detect external threats. Zero Trust strategies, on the other hand, assume that no user, application, endpoint, workload, or content should be trusted by default: each time someone accesses a database or directory, or submits a request, its legitimacy must be validated against the company's policies. Cybersecurity leaders such as Cisco and Palo Alto Networks provide a robust portfolio to deliver Zero Trust everywhere—on-premises, in the data center, and in cloud environments.

Network security, concerned with protecting public and private networks from intrusion and abuse, has been making exciting progress, thanks to AI applications and the new concept of "Moving Target Defense (MTD)". AI can be used to provide "predictive threat intelligence" solutions, which detect unusual activity in a network, and preemptively address it: introduced by companies such as Darktrace, it can be expected to spread widely in the next five years. Moving Target Defense, which secures assets by constantly changing their underlying configuration, aims to dissuade attackers by significantly increasing the time and cost of an attack. MTD has been successfully applied in data and endpoint protection and is expected to find commercial usages for network security by 2025.

Identity and Access Management (IAM) is a framework of policies and technologies aimed at ensuring that users can be correctly identified, and appropriately granted or denied access to resources. In this field, biometric identification has made significant progress in speed and accuracy, and applications can be found in smartphones (e.g., fingerprint or face recognition), as well as in infrastructure management. Chinese tech giant Baidu has been leveraging face recognition to replace building access badges, while Japan started introducing it to airports, with the goal of cutting wait times and improving security. Going forward, biometric authentication based on other traits, such as DNA, is likely to find commercial applications. Other interesting authentication techniques include context-aware and cognitive authentication, which behaves differently based on access pattern (location, time of day, device type, etc.), or requires user-specific knowledge, an example of which is "narrative authentication".

The growth of the Internet of Things, which has resulted in millions of devices being connected to the Internet, is creating new attack surfaces that were previously inaccessible or not valuable to attackers. Many IoT devices are based on processors called FPGAs (Field-Programmable Gate Arrays) which, while they allow for cost-effective customization fit for mass production, often do not have sufficient capacity for protection mechanisms. Palo Alto Networks 2020 Unit 42 IoT Threat Report found that 57% of IoT devices are vulnerable to medium- or high-severity attacks, and that 98% of all IoT device traffic is unencrypted, making IoT low-hanging fruit for attackers. In 2019, for example, smart home solution provider Orvibo reported a data breach of over two billion records of user and device data. Since Industrial IoT devices will be increasingly used to track and operate critical assets, interest in hacking them has been growing, consequently fostering research on IoT security.

Finally, endpoint security, i.e., the protection of individual devices such as smartphones and laptops, will benefit from advances in cryptography. Point-to-point encryption, which has been securing the content of messaging systems such as WhatsApp since 2015, will soon become a de facto standard as software tools to implement it become more commonly available. Over the next decade, steady advances in quantum computing are set to make quantum cryptography a reality, and render many current crypto algorithms obsolete, creating the need for "post-quantum encryption". UK-based startup KETS is developing quantum chips to secure communications, while Singapore-based company Sixscape and French startup CryptoNext are developing quantum-safe solutions.

The key future applications

As it becomes easier to perform cyberattacks using readily available cloud infrastructure and increasingly sophisticated software, cyber threats will continue to increase; moreover, as industries digitize their data and processes, every company must consider itself a potential target.

This trend will further bolster demand for comprehensive solutions for companies at different stages of digital maturity: the cyber-service market will become less fragmented as offerings are bundled, partnerships are created, and acquisitions consolidate multiple-point solutions into integrated platforms. Moreover, the growth in adoption of public cloud will allow cyber-service providers to focus on fewer use cases, with hybrid cloud architectures strengthening the need for a centralized security solution.

Beyond standardization, education, outsourcing, automation, and orchestration are the forces that will drive cybersecurity applications.

Automation and orchestration of key cybersecurity functions will help in closing the cyber talent gap: as data volumes increase, the primary candidates for automation are core functions such as SOAR (Security Orchestration, Automation and Response, providing a centralized platform to monitor activity across an IT infrastructure and help security personnel manage response), MDR (Managed Detection and Response, focused on identifying malicious activity in a company's private network), and XDR (eXtended Detection and Response).

Outsourcing for cybersecurity services will happen in two ways: first, in the form of turnkey or Software as a Service (SaaS) solutions; second, as it becomes an integral part of software vendors' offerings. Especially in Japan, where the majority of software development is outsourced, a fundamental shift in the development process will be necessary to implement secure systems without costly delays. If security review and implementation work is left as the final step in a "waterfall" project delivery workflow, there is the risk of substantial rework being necessary in order to reach compliance; in order to avoid the subsequent delays and costs, it is crucial to embed security at the beginning of a project ("security by design"), as well as throughout development, testing, and deployment: Companies thus need to move from DevOps to "DevSecOps". Even though it might seem time-consuming at first, DevSecOps have proven to significantly reduce project delivery time in the long run.

Finally, cybersecurity is a complex field of computer science, and while many users receive little training on digital safety, even most software engineers do not have a solid-enough background to create safe infrastructure. In Japan, this "cyber talent gap" is being addressed by several startups: in addition to providing diagnostic and consulting services, INITIAL reports that players such as Root Riff, Flatt, and Global Security Experts have raised over ¥854 million (approximately $8 million) to provide training to companies and engineers in security best practices.

It should be noted that while these applications hold true for every country, Japan—since it is at an earlier stage of the digital transformation journey—has an opportunity to invest and implement in next-generation cybersecurity solutions. Digitization, while providing significant value, also presents attackers with an expanded attack surface, given the increasing number of users of online banking, electronic health records, connected homes, and so on. Japanese enterprises can define their cyber-risk strategies preemptively, or as a response to policy impetus enforcing stricter regulations, or, in the most expensive case, after experiencing firsthand the consequences of a successful cyberattack.