Ⅰ Introduction 1. Ⅱ Information Security Infrastructure and Environment 2. Ⅲ Information Security Incident Prevention 8

Transcription

1

2

3 Ⅰ Introduction 1 Ⅱ Information Security Infrastructure and Environment 2 1. Information Security Policy 2 A. Information (Personal Information) Security Policy 2 B. Information Security Policy 3 C. Personal Information Security Policy 4 2. Information (Personal Information) Security Organization 5 3. Information (Personal Information) Security Education 6 4. Information (Personal Information) Security Budget 7 Ⅲ Information Security Incident Prevention 8 1. Information Security Products and Services 8 A. Information Security Product Use 8 B. Information Security Service Use 9 2. Information Security Management 10 A. System and Network Security Inspection 10 B. Security Patch Application 11 C. System Log and Data Backup 12 Ⅳ Information Security Incident Response Information Security Incident Experience Information Security Incident Response 14 Ⅴ Information Security Awareness Executives Awareness of Information (Personal Information) Security Awareness of Information (Personal Information) Security 16

4 Ⅵ Personal Information Security Personal Information Collection and Use Personal Information Security Incident Experience Personal Information Security Incident Prevention 19 Ⅶ Information Security By Service Wireless LAN Cloud Internet of Things (IoT) Information Security (Cyber) Insurance 24

5

6

7 Ⅰ Introduction Population Effective Sample Size Data Collection Businesses with computers connected to networks (1 or more employees) 9,130 Businesses Face-to-face interview, , fax and online survey Fieldwork Period Aug. 1 Oct. 31, 2017 Effective Period Sampling Method Sampling Error Current as of Dec. 31, Education, budget, expenditure, and information security incident experience are for Jan. 1 Dec. 31, Currently invested/planned IT security activities are for until Aug. 1, 2017 Multi-stage stratified sampling Rate of information security policies ±0.70%p (95% confidence level) Sampling Design Primary Sampling Frame Secondary Sampling Frame Target businesses in the 2015 Report on the Economic Census Businesses that have established networks and one or more employee(s) among target businesses in the 2016 Yearbook of Information Society Statistics Glossary Malicious Code Security Patch Internet of Things (IoT) Information Security (Cyber) Insurance Software designed to execute malicious activities such as destroying the host system and stealing information (virus, worm, adware, spyware, etc.) Software designed to protect security vulnerabilities in the operating system (OS) or applications Intelligent information technology or service that connects objects to allows mutual communication between people and objects, as well as between objects and other objects (smart car, smart refrigerator, etc.) Insurance offered to corporations to guarantee compensation for damages inflicted by hacking, DDoS, and other intentional cyber attacks 1

8 Ⅱ Information Security Infrastructure and Environment 1. Information Security Policy A. Information (Personal Information) Security Policy 15.2% established information or personal information security policies, down by 1.9%p compared to the previous year. 15.2% of the businesses established information or personal information security policies in the form of an official document, which is a 1.9%p decrease compared to the previous year. - The rate rose from previous year in businesses with 250 or more employees (87.9%). For companies with less than 50 employees, however, fewer had an official security policy document this year compared to the previous year. Figure 2-1 Information (Personal Information) Security Policy or More 2

9 B. Information Security Policy 13.5% established information security policies in the form of an official document, down by 1.0%p compared to the previous year. 13.5% of the businesses established information security policies in the form of an official document, which is a 1.0%p decrease compared to the previous year. - The rate rose from previous year in businesses with 250 or more employees (86.2%). For companies with less than 50 employees, however, fewer had an official security policy document this year compared to the previous year. Figure 2-2 Information Security Policy or More 3

10 C. Personal Information Security Policy 14.5% established personal information security policies in the form of an official document, down by 0.8%p compared to the previous year. 14.5% of the businesses established personal information security policies in the form of an official document, which is a 0.8%p decrease compared to the previous year. - The rate rose from previous year in companies with 250 or more employees (87.6%). For companies with less than 50 employees, however, fewer had an official security policy document this year compared to the previous year. Figure 2-3 Personal Information Security Policy or More 4

11 2. Information (Personal Information) Security Organization 9.9% had an official information or personal information security organization, down by 1.1%p compared to the previous year. 9.9% of the businesses operated an official information or personal information security organization, which is a 1.1%p decrease compared to the previous year. - All groups had lower rates of information security organizations this year compared to the previous year. Figure 2-4 Information (Personal Information) Security Organization or More 5

12 3. Information (Personal Information) Security Education 30.4% conducted information or personal information security education, up by 12.4%p compared to the previous year. 30.4% of the businesses conducted information or personal information security education for its executives and employees during 2016, which is a 12.4%p increase compared to the previous year. Regular employees who use computers (90.2%) received such education at the highest rate, followed by CEOs and executives (65.5%) and Chief Information Security Officer (44.6%). Figure 2-5 Information (Personal Information) Security Education Regular Who Use Computers CEOs and Executives Chief Information Security Officer Chief Privacy Officer Personal Information Handlers IT and Information Security Staff * 2015 responses are not included because questionnaire was modified in

13 4. Information (Personal Information) Security Budget 48.1% allocated information or personal information security budget, up by 15.6%p compared to the previous year. 48.1% of the businesses allocated information or personal information security budget out of the IT-related budget during 2016, which is a 15.6%p increase compared to the previous year. - This rate is significantly rising every year, from 18.6% in 2015 to 32.5% in 2016 and 48.1% in % of the businesses allocated 5% or more of their IT budget for information or personal information security, an increase compared to the previous year. Figure 2-6 Information (Personal Information) Security Budget 36.8 Less than 1% % 5% or More 7

14 Ⅲ Information Security Incident Prevention 1. Information Security Products and Services A. Information Security Product Use 94.9% used information security product, up by 5.1%p compared to the previous year. 94.9% of the businesses used information security product, which is a 5.1%p increase compared to the previous year. Network security product was the most frequent type of product used (83.5%), followed by system (device) security products (74.8%) and others. Figure 3-1 Information Security Product Use Network Security Sy stem (Dev ice) Security Authentication Security Management Contents/ Inf ormation Leak Prev ention *Others *Surv eillance camera (CCTV) was added to Others in 2017 surv ey. 8

15 B. Information Security Service Use 48.5% used information security service, up by 8.0%p compared to the previous year. 48.5% of the businesses used information security service, which is a 8.0%p increase compared to the previous year. Maintenance and management (42.0%) was the most frequent type of service used, followed by education/training (12.7%) and security control (11.4%). Figure 3-2 Information Security Service Use Maintenance and Management Education/ Training Security Control Authentication Service Security Consulting 9

16 2. Information Security Management A. System and Network Security Inspection 64.7% conducted system and network security inspection, up by 9.2%p compared to the previous year. 64.7% of the businesses conducted system and network security inspection (vulnerability check, etc.), which is a 9.2%p increase compared to the previous year. Almost all businesses that conducted vulnerability check inspected their PCs (99.7%), followed by their server operating system (39.0%) and application programs (34.2%). Figure 3-3 System and Network Security Inspection PC Serv er Operating Sy stem (OS) Application Programs Network Dev ice (Router, Switch, Etc.) Web Database *Phy sical security *New item in 2017 surv ey. 10

17 B. Security Patch Application 96.9% applied security patches, up by 13.0%p compared to the previous year. 96.9% of the businesses applied security patches for their PCs and servers (Windows Update, etc.), which is a 13.0%p increase compared to the previous year. By type, the businesses applied patches the most for information security systems (93.4%), followed by employee PC (93.2%) and servers connected to external entities (89.6%). Figure 3-4 Security Patch Application Information Security System Employee PC Servers Connected to External Entities Internal Servers *Answers f or automatic update + manual update + update only when issues arise 11

18 C. System Log and Data Backup 52.5% backed up system log or important data, up by 14.2%p compared to the previous year. 52.5% the businesses executed backup of system log or important data, which is a 14.2%p increase compared to the previous year. By type, 37.4% of the businesses executed system log backup and 46.8% executed important data backup. Figure 3-5 System Log and Data Backup System Log Backup Important Data Backup 12

19 Ⅳ Information Security Incident Response 1. Information Security Incident Experience 2.2% experienced information security incident, down by 0.9%p compared to the previous year. 2.2% of the businesses experienced security incidents during 2016, which is a 0.9%p decrease from the previous year. By type, attack by malicious codes (75.5%) was the most frequent, followed by ransomware (25.5%) and adware/spyware infection (13.0%). Figure 4-1 Information Security Incident Experience Attack by Malicious Codes Ransomware Adware/ Spyware Infection Hacking DoS/ DDoS Attack Information Leak by Company Personnel Department of Medicine APT Attack 13

20 2. Information Security Incident Response 25.9% responded to information security incidents, up by 8.8%p compared to the previous year. 25.9% of the businesses conducted activities to respond to information security incidents, which is an 8.8%p increase compared to the previous year. By type, establishing emergency contact system for response to information security incident (16.3%) was the most frequent method, followed by formulating information security incident response plan (8.0%) and consigning security response activities to external entities (7.1%). Figure 4-2 Information Security Incident Response Establish Emergency Contact System for Response to Information Security incident Formulate Information Security Incident Response Plan Consign Security Response Activities to External Entities Establish and Operate Computer Emergency Readiness Team (CERT) Organize Incident Recovery Team Subscribe to Information Security Insurance No Response Activity 14

21 Ⅴ Information Security Awareness 1. Executives' Awareness of Information (Personal Information) Security Executives from 87.4% of the businesses found information security important, up by 3.5%p compared to the previous year. Executives from 88.9% of the businesses found personal information security important, up by 2.8%p compared to the previous year. CEOs and executives in 87.4% of the businesses considered information security important, which is a 3.5%p increase compared to the previous year. CEOs and executives in 88.9% of the businesses considered personal information security important, which is a 2.8%p increase compared to the previous year. Figure 5-1 Executives' Awareness of Information (Personal Information) Security *Ratio of people who answered important and very important to the question. 15

22 2. Awareness of Information (Personal Information) Security from 81.5% of the businesses found information security important and 84.6% found personal information security important. in 81.5% of the businesses considered information security important, which is similar compared to the previous year within the error range. in 84.6% of the businesses considered personal information security important, which is similar compared to the previous year within the error range. Figure 5-2 Awareness of Information (Personal Information) Security *Ratio of people who answered important and very important to the question. 16

23 Ⅵ Personal Information Security 1. Personal Information Collection and Use 1. Personal Information Collection and Use 47.4% collected customers personal information, up by 8.2%p compared to the previous year. 45.5% used customers personal information, up by 12.4%p compared to the previous year. 47.4% of the businesses collected personal information from their customers online or offline, which is an 8.2%p increase compared to the previous year. 45.5% of the businesses used personal information from their customers online or offline, which is a 12.4%p increase compared to the previous year. Figure 6-1 Personal Information Collection and Use

24 2. Personal Information Security Incident Experience 0.2% experienced personal information security incident, down by 0.8%p compared to the previous year. 17.7% made inquiry of or reported the incident to the authorities. 0.2% of the businesses experienced personal information security incident during 2016, which is a 0.8%p decrease compared to the previous year. 17.7% of the businesses that experienced personal information security incident made inquiries or reports to related authorities, which is similar compared to the previous year within the error range. Figure 6-2 Personal Information Security Incident Experience *Inquiry or report to the authorities (n=12) should be carefully interpreted. 18

25 3. Personal Information Security Incident Prevention 85.1% took managerial measures to prevent personal information security incidents, up by 3.1%p compared to the previous year. 85.6% took technical measures to prevent personal information security incidents. 85.1% of the businesses executed managerial measures to prevent personal information security incidents, which is a 3.1%p increase compared to the previous year. Figure 6-3 Managerial Measures for Personal Information Security Incident Prevention Create Incident Prevention Manual Establish Follow- Establish Internal On Management Response and Policy Reporting System Keep a List of Warning Signs for Incidents Notify Authorities Related to Personal Information Security Incidents * Including only top 5 answers. 19

26 85.6% of the businesses executed technical measures to prevent personal information security incidents, which is similar compared to the previous year within the error range. Figure 6-4 Technical Measures for Personal Information Security Incident Prevention Prevent Damages from Computer Viruses Security Measures Using Encryption Technologies Access Control and Break-in Prevention System Measures to Prevent Forgery/ Alteration of Access Control Store Data Offline None 20

27 Ⅶ 1. Wireless LAN Information Security by Service 1. Wireless LAN 71.5% had wireless LAN, up by 20.4%p compared to the previous year. 71.5% of the businesses had wireless LAN in the company, which is a 20.4%p increase compared to the previous year. Setting wireless LAN access password (83.7%) was the most common method for wireless LAN security, followed by encrypting transmitted data (30.7%) and separating internal wireless and cable networks (25.4%). Figure 7-1 Wireless LAN Set Wireless LAN Access Password Encrypt Transmitted Data Separate Internal Wireless and Cable Networks Control/ Filter Access to Wireless LAN Block Social Media Access Via Wireless LAN Limit Use of External Commercial Wireless LAN 21

28 2. Cloud 6.6% used cloud service, up by 1.2%p compared to the previous year. 6.6% of the businesses used cloud services in their offices, which is a 1.2%p increase compared to the previous year % of the businesses stated that they have a plan to introduce a cloud service to their system or maintain their current cloud service. Establishing security policies for cloud services (34.7%) was the most common measure to ensure cloud service security. Figure 7-2 Cloud *Businesses planning to introduce (maintain) cloud service: 6.7% Establish Security Policies for Cloud Services Use Cloud Services with Security Certifications Use Cloud- Based Security Services Mandate Security Software for Devices Using Cloud Services Separate and Encrypt Sensitive Data No Cloud Service Security Measure 22

29 3. Internet of Things (IoT) 4.9% used IoT products or services. 4.9% of the businesses used IoT products or services % of the businesses stated that they have a plan to introduce IoT products or services or maintain their current IoT products or services. Data leak (48.5%) was the highest perceived threat regarding IoT systems, followed by hacking or malicious code infection (46.6%). Figure 7-3 Internet of Things (IoT) Yes No 95.1 * Businesses planning to introduce (maintain) IoT product or service: 5.5% Data Leak Hacking and Malicious Code Infection Wireless Signal Disruption or Error Device Theft/Loss * Businesses that answered somewhat concerned and very concerned 23

30 4. Information Security (Cyber) Insurance 0.6% subscribed information security (cyber) insurance. 0.6% of the businesses subscribed information security (cyber) insurance % of the businesses stated that they have a plan to subscribe to information security (cyber) insurance or maintain their current subscription. In their information security (cyber) insurance, 84.0% of the businesses sought reimbursement for damages paid for personal information leak, followed by reimbursement of costs for personal information leak responses (74.9%) and reimbursement of costs related to corporate espionage investigation and litigation (36.9%). Figure 7-4 Information Security (Cyber) Insurance Yes No * Businesses planning to subscribe to (maintain) information security (cyber) insurance: 2.2% Reimbursement of Damages Paid for Personal Information Leak Reimbursement of Costs for Personal Information Leak Responses Reimbursement of Costs Related to Corporate Espionage Investigation and Litigation Reimbursement of Damages Paid for Corporate Secret Leak Reimbursement of Damages Paid for Acting as a Gateway to Zombie PC or Other Cyberattacks Reimbursement of Costs Related to Cyber Extortion 24

31