Toshiba Corporation has published the English edition of Toshiba Group Cyber Security Report 2021, a summary of Toshiba Group’s cyber security policy, measures and activities in FY2020.
Due to COVID-19, remote work has become standard practice, and connecting with people remotely is becoming the norm in all spheres of life. This situation leaves businesses increasingly vulnerable to cyberattacks, and increases the urgency of developing cybersecurity systems that can counter determined cybercriminals.
In Toshiba’s core infrastructure services business, the scope of security is expanding from conventional information and product security to include industrial infrastructure sites and cyberspace. Toward realising total security of information, products, control systems, and data, Toshiba Group is implementing strategies that incorporate the concept of cyber resilience: the ability to minimise and quickly recover from security incidents, including cyberattacks. This concept centres on increasing system uptime (Prepare), reducing any losses in incidents (Mitigate), and shortening the response and recovery time (Response and Recover).
This year’s report details Toshiba’s three key measures for realising cyber resilience: Governance that clarifies decision-making and command systems; Security Operations that monitor, detect, respond, restore and defend; and Human Resources Development that trains the people needed to develop and operate security systems.
In Governance, security governance of the entire Group is driven by the Toshiba Group CISO Meeting*, which ensures major Group companies collaborate horizontally across organisational boundaries. Toshiba Group has established mechanisms and rules for identifying and evaluating privacy risks that can be applied prior to the launch of businesses that use personal data.
Security Operations minimises the impact of security risks on corporate activities by actively promoting the automation of prediction and detection, response and recovery, and the use of intelligence on cyber-threats.
In Human Resources Development, Toshiba promotes security qualification systems within the Group that certify security-related knowledge and technical capabilities for people working in different areas and roles. In order to assess the maturity of CSIRT (Computer Security Incident Response Team) and PSIRT (Product Incident Response Team) and improve cyber security management in individual companies, Toshiba requires Group companies to carry out self-assessments that visualise gaps between current conditions and goals, and indicate measures that need to be taken.
According to Toshiba Group, the company will continue to fulfil its responsibilities in this crucial area, and ensure that stakeholders understand its thinking, strategies, and specific measures to enhance security, by issuing regular website updates, and the annual cyber security report.
* An internal meeting in which CISO (chief information security officer) of major Group companies participates to plan and evaluate measures concerning the establishment, promotion, assessment, and improvement of the system for cyber security risk management for the entire Toshiba Group.