As "data monetization," which aims to generate revenue by making advanced use of data, including individual customer data, is gaining attention, the media and online have expressed the phrase "data is the new oil." Indeed, the two may be similar in terms of their high potential for profit generation. However, unlike physical oil fields, data is like a mosquito sucking up something tasty, and there is a risk that valuable data will be stolen without you realizing it, making measures against data security risks an extremely important and serious issue.
Last year, I was appointed Chief Delivery Officer of Tata Consultancy Services Japan (TCS Japan), and am currently responsible for all delivery at TCS Japan, promoting the further growth of the hybrid model and the enhancement of solutions. In this article, I will explain the security risks that lie in data utilization and how to mitigate those risks, based on the knowledge and experience I have gained as the Global Head of Cybersecurity at Tata Consultancy Services (TCS) while providing consulting services to many global companies.
In recent years, digitalization has progressed in various businesses, and as the fusion of real and cyberspace continues to advance, cybersecurity risks are rapidly increasing. In particular, with many legacy systems in existence, the risk of leakage or other incidents of the vast amounts of data collected and stored in companies' internal systems is serious. The leakage or leaking of data, including personal information of customers, in response to regulations by authorities across borders, etc., is a major risk not only to customers but also to the companies that collect and use the data.
For example, data such as consumers' site browsing history obtained through "cookies" deployed by companies on websites and social media can bring great value to marketing, sales, and even new product development. However, from the consumer's perspective, there is a risk that their privacy, including not only their purchasing behavior but also their hobbies, preferences, and political beliefs, will be exposed, and once the data has been obtained, they cannot get away with saying they did not know about it.
The magnitude of the risk to consumers is directly related to the magnitude of the risk to the companies that handle their data. If this data were to be leaked or leaked, it is clear from several recent examples how much anxiety and anger it would cause among consumers and how much social credibility the companies would lose.
How to reduce such data security risks has become an important issue on a global scale in recent years. As for the government regulations mentioned above, the General Data Protection Regulation (GDPR) came into effect in the EU in May 2018, and the California Consumer Privacy Act (CCPA) came into effect in the US in January 2020. Both of these laws require companies that handle data, including personal information, to take appropriate measures to protect that data.
According to the TCS 2020 CIO Study, conducted by TCS among IT executives, including Chief Information Officers (CIOs), from 1,010 companies in 11 industries in North America and Europe, more than 70% of respondents considered "data such as customer comments about the company's products and services on the Internet" to be "very important/fairly important," and more than 60% considered "data related to how customers found out about the company's products and services" to be "very important/fairly important." Despite this, the survey found that only about one-third of companies have taken concrete measures against data security risks. This shows that measures are clearly insufficient given the magnitude of the risk.
The rise in data security risks is by no means something that only concerns Japanese companies. Although GDPR is an EU regulation, it applies not only to companies registered in EU member states, but also to all companies that do business within the EU, even if they obtain data of users within the EU through online sales, etc. In other words, Japanese companies that conduct global business are also required to manage data in accordance with EU and US standards.
In addition, it should be understood that as the number of companies working from home increases and remote work expands, security risks for Japanese companies are increasing. Japanese companies have accumulated a wealth of valuable data that could be subject to intellectual property rights, and have been targeted by hackers around the world, but in recent years, hackers' aims are not just economic gain. Many hackers, including those engaged in cyber attacks and cyber terrorism from hostile countries and organizations, or pranksters who simply want to show off their technological capabilities, are trying to lower the IT reputation (trust and evaluation) of Japanese companies.
In fact, in the past few years, there have been numerous news reports of Japan's leading companies falling victim to cyber attacks. For example, in 2018, multiple companies were hit by cyber attacks in which the settings of their routers for connecting to the Internet were rewritten from outside, leading to unauthorized access to fraudulent websites. Furthermore, this year, it was reported that the internal servers of a major manufacturer had been subject to unauthorized access for a long period of time. Both were serious incidents for Japan's industrial society, but they may only be the tip of the iceberg. The average lead time for noticing the damage caused by a cyber attack is said to be about eight months, so it is not surprising that some companies have already been attacked but have not yet noticed.
These examples show that with the world's attention on Japan, data security risks are higher than ever. Regardless of industry, business type, or type of data handled, it is urgent that all Japanese companies be aware of these risks and take measures.
I feel that awareness of data security risks has been growing among Japanese companies, especially global ones, over the past few years. However, only about 15-20% of Japanese companies have a dedicated Chief Information Security Officer (CISO). Compared to Western companies, it must be said that there is still a long way to go in terms of system development. As data security risks increase, the first thing Japanese companies should do is to strengthen their systems, such as by appointing a CISO, and to recognize data security measures as an important issue for the entire company, not just the IT department.
With the advancement of digital transformation, IT systems support all corporate activities, but all of these systems can become targets of attacks from hackers. In particular, Japanese companies often use customized legacy systems, and systems with untested vulnerabilities are often used without being aware of the risks themselves.
Even if the security measures on the system are perfect, it is meaningless if the employees who use the system have low risk awareness. As data shows that 90% of security incidents are via email, the biggest weakness in data security is "human awareness." First of all, it is important for all employees to raise their risk awareness and learn the basics of cyber hygiene, such as "not opening email attachments or clicking links from untrusted sources," "using officially licensed operating systems and applications," and "running the latest versions of appropriate security programs."
Figure: Seven-layer defensive wall |
![]() |
While it is important to implement thorough measures for each employee, it is also necessary to implement company-wide measures. However, it is inefficient in terms of both cost and effort to implement high-level measures equally for all systems within a company. The key is to evaluate and identify data security risks in the following three steps and take focused and continuous measures.
■ Step 1: Categorize and prioritize
The first step is to identify what data must be protected as a priority from the vast amount of data stored in a company's internal systems. Categorize data into customer information, product information, technical information, financial information, employee information, etc., and evaluate the value and risk of each. Consider which data is attractive to hackers and which data would have a large impact if leaked or leaked, and identify the important assets that need to be protected.
■ Step 2: Strategy formulation
Once the data that needs to be protected as a priority has been identified, we can determine the methods and routes by which that data might be attacked and consider countermeasures. By clarifying in which system the information to be protected is stored, to whom that system is publicly available and who can access it, and by clarifying the assumed attack routes of hackers, it becomes possible to devise specific countermeasures.
An effective countermeasure is to build layers of defenses on the path to your data: the first layer is the network, the second layer is the infrastructure, the third layer is the web server, and the fourth layer is the application. By building a defense in depth, hackers will be exhausted before they can reach your data, and will likely move on to other targets.
■ Step 3: Continue the evaluation
Identifying the data that should be protected as a priority and building a layered defense to reach that point can reduce the immediate risk, but this is only temporary. Companies' business models and scales are constantly changing, and the content and extent of risks change accordingly. Cyber-attack techniques are also becoming more diverse and sophisticated every day. In order to keep data security risks within an acceptable range, it is essential to keep track of changes in the environment and your company, while constantly evaluating the risks and countermeasures at any given time.
So far, I have explained the risks related to data security, and may have made you uneasy, but there is no need to be overly anxious if you recognize the importance and potential of data, identify the risks, and take appropriate measures. Addressing data security risks is like an "insurance product." Even if you cannot reduce the risk to zero, you can minimize the damage in the unlikely event that something does happen. First, you should correctly recognize the content and magnitude of the risks you face, and then consider what measures to take while determining the range of risks you can tolerate and the appropriate amount of investment.
Another similarity with insurance is that it is difficult to evaluate the effectiveness of countermeasures unless you are actually affected by a cyber attack. Nevertheless, it is important to conduct detailed simulations in advance to check and evaluate how various countermeasures will work in the event of an actual cyber attack.
Visualizing data security risks and running simulations to evaluate security measures require specialized knowledge and know-how. Rather than trying to handle everything in-house, it is better to make use of external experts.
TCS Japan provides total support for this process, taking advantage of its extensive global knowledge and experience in cyber security, including data security. If you have already implemented the necessary data security measures, you can have a cyber attack assessment by TCS Japan verify whether there are any weaknesses or areas for improvement. If you are unsure of the risks, wondering where to start, or are still considering measures, we can help you quickly develop countermeasures based on the three steps mentioned above.
We hope that this opportunity will remind everyone of the seriousness of data security risks and the importance of taking measures to address them, and encourage them to make effective use of valuable data.
Satish Thiagarajan (Vice President and Chief Delivery Officer, Tata Consultancy Services Japan Ltd.) After earning a Bachelor of Technology in Chemical Engineering from National Institute of Technology Warangal in 1989, he gained experience in multiple industries (IT services, management consulting, engineering services) and obtained his CFA (Certified Financial Analyst) designation from ICFAI Business School, Hyderabad in 1997. He has led a wide variety of global projects in IT services, as well as achieving results in large-scale transformation programs and service development for applications and IT infrastructure. Since 2013, he has demonstrated leadership as Global Head of Security at Tata Consultancy Services, achieving business expansion at a CAGR of over 45% for five consecutive years. He has been in his current position since November 2019. |
![]() |
*The content listed is current as of May 2020.