Masato Morisawa, BBSec: “security measures are only effective if employees are educated about them”
Despite the number of cybersecurity tools implemented by organizations, the level of employee technical knowledge seems to lag behind.
The approach to cybersecurity has been radically changing over the last few years. The business sector has gone from barely using antivirus software to companies integrating on-site cybersecurity departments. Yet, the percentage of online security breaches remains high.
To talk about the measures necessary to maintain the highest levels of cybersecurity, we invited Masato Morisawa, the Executive Vice President and Representative Director of BBSec – the leading IT security services company in Japan.
How did BBSec originate? What has your journey been like?
BroadBand Security (BBSec) is an independent cyber security vendor which is not a subsidiary of any IT vendor or telecom provider. BBSec was founded in November 2000, a month before Japan’s National Information Security Center (NISC) was founded. We can proudly say that BBSec has been supporting Japanese cyber security from the very early days. With the mission of "creating a convenient and secure network society," we started our service with Anti-Abuse Mail Service for ISPs. And in 2006, we changed the company name to the current one. We now provide services in Japan, and South Korea.
We first started with secure email service, then expanded areas of service to vulnerability assessment (2006), PCI DSS assessment as QSAC (2008), Digital Forensic Service (2013), PFI service (2021), and SWIFT CSCF assessment (2020). We also provide managed security service, CSIRT consulting service, OT risk assessment, and various consulting and risk assessment services. For managed security service, we are one of the top Browser Isolation Operating and Monitoring servicers in Japan, especially for merchandising industry. In 2021, we expanded our service coverage by taking over the Gomez Consulting business, which conducts development and operation from a website UI/UX perspective, from Morningstar Inc.
We today have performed a total of 42,100+ system vulnerability assessments, and have assessed over 530+ PCI DSS compliance certifications.
Can you tell us a little bit about what you do? What are the main challenges you help navigate?
I'm working on optimizing our business of Consulting & Assessment, Vulnerability diagnosis, and Managed Service & Digital Forensics to promote BBSec's business. Our challenge is to raise awareness of the importance of security measures among all government agencies, companies, and organizations.
What methods do you use to evaluate the state of an organization’s cybersecurity?
BBSec conducts cyber security assessments based on PCI DSS, NIST CSF, NIST SP800-27 for Zero Trust Architecture assessment, and other guidelines, including Japanese governmental guidelines and common criteria like “FISC Security Guidelines on Computer Systems for Banking and Related Financial Institutions” (so-called FISC Guidelines).
In Japan, security guidelines and common criteria are generally determined and issued by NISC and METI (Ministry of Economy, Trade, and Industry). However, security guidelines and common criteria for the financial industry are determined and issued by Financial Services Agency and its peripheral institutions such as FISC and others. We are known for the security assessment and consulting for the financial industry, recognized as the top-tier PCI QSAC. This reputation brought us to become the first Japanese company registered as SWIFT’s CSP assessment provider in 2021.
How did the recent global events affect your field of work? Were there any new challenges you had to adapt to?
We have been receiving many requests from customers since we run a 24/7 cyber forensic service. Recently, we have had many requests from companies and organizations which fell victim to the Emotet malware. The number of requests to support from affected customers rose rapidly in the last quarter, especially in late February. According to JPCERT/CC, Japan’s CERT which receives incident reports from various organizations, the number of Emotet infection reports significantly increased from 1st week of February.
Besides Emotet, we also have many requests for forensic investigations for compromised EC systems.
It looks like some instability makes some effects on cyber security and doubled the requests from the customers though we are not sure about the significant correlation between the latest events and the circumstances.
In your opinion, why are certain companies unaware of the risks hiding in their own networks?
Cyber security measures had not been adequately budgeted since it has been treated as a cost in Japan. It was very hard to appeal to the management about the effectiveness of security measures are not visible, since “nothing happens” tends to be considered a success in cyber security. In addition, because Japanese society is fundamentally based on the principle of "goodness," there was a psychological pressure to strengthen security as if it were somehow a bad thing.
There is also an issue, shortage of cyber security professionals in Japan. For example, according to our survey conducted in 2020, this resource shortage resulted in 61% of the companies not being able to apply security updates to their systems promptly even though it is a fundamental of cyber security measures.
The pandemic era made significant changes in the work and IT environment, such as the rapid and widespread of cloud services and work from home. This change urges Japanese companies to shift in security awareness.
Although there are plenty of security solutions and providers available on the market, certain companies and individuals still hesitate to upgrade their cybersecurity. Why do you think that is the case?
The number of people managing the systems is small compared to the number of systems, which means that sometimes systems are not well-managed. Our 2020 survey shows the resource shortage compared to the number of systems to be managed resulted in the systems are not well managed. And, in a specific industry, there are problems such as a lack of cooperation for timely security updates from the operations side for the reason of maintaining compatibility with other software. This trend was most prominent in the OT and medical fields, but the situation has been changing in recent years.
The resource shortage is also impacting on implementation of security solutions, such as EDR, WAF, SIEM, CASB, etc. These solutions require operational resources with cyber security knowledge. We provide support for security operations through our managed security service (MSS), helping to ease the problem of resource shortages.
In addition to the implementation and operation of technological solutions, security measures are only effective if employees are aware of and educated about them, and if they are involved in organizational efforts. We hope that companies will pay attention not only to the implementation of solutions but also to education and organizational efforts. BBSec is your partner which can help you with solutions, education, and helping organizational efforts.
Do you think businesses of all sizes should invest in IT solutions tailored specifically for them or is this practice only relevant for large enterprises?
Yes. In the course of providing security services to our clients, we have realized that while our services are scaled globally, there is an imbalance in the level of security in the value chain and that there are differences in security awareness among the parties involved in various processes. Therefore, we have decided to participate in the establishment of an organization that proposes "appropriate cyber security measures" considering the characteristics of the Japanese market, and to focus on the creation and dissemination of a common activity framework that can be used by companies of all sizes.
What security measures do you think are essential not only for organizations but also for casual Internet users?
We believe that the security measures required for casual internet users are those that, ideally, "users themselves are unaware that they are taking measures”.
The internet is now an infrastructure, and users vary in age and educational background. I believe that the security of the platform should be done by the company that provides it, just as users do not need to secure their own phone lines when receiving a phone call. However, I believe that security literacy education is necessary, just as one should be careful not to be scammed over the phone.
What does the future hold for BBSec?
Our corporate mission of "creating a convenient and secure network society" will continue. With the shift to cloud computing and complex IT system in all industries, security-based development and operations will also become increasingly important. It's DevSecOps. For a society where everyone can live in peace, BBSec wants to be a presence that supports all industries in terms of both convenience and security. As BBSec expands not only in Japan but also in Korea, Southeast Asia, and the rest of the world, we believe that it will help solve social issues that people and nations face.