Japan’s ‘myth of security’ raises cyber attack risk

Senior managers in Japanese companies will often outsource cyber risk to experts and then assume that is enough

Please use the sharing tools found via the share button at the top or side of articles. Copying articles to share with others is a breach of FT.com T&Cs and Copyright Policy. Email licensing@ft.com to buy additional rights. Subscribers may share up to 10 or 20 articles per month using the gift article service. More information can be found here.
https://www.ft.com/content/bd990583-2948-4769-b090-eac644a2ad69

Every April, as university graduates enter Japan’s workforce and log into the IT networks of Japanese businesses for the first time, the government runs a campaign pushing everyone to create a strong password. But, in 2022, a global survey by cyber security group NordPass found that Japan’s favourite password remained “123456”, which is hackable in an average of one second. Japan is far from alone in this complacency (the US and Britain’s favourite passwords include “password”), or in the struggle of companies and governments to protect data — one of the most financially critical resources of the early 21st century — more assiduously. Companies around the world are repeatedly falling victim to ransomware cyber attacks and other criminality, where the door was opened by some foible of human behaviour, usually on the part of an otherwise reliable employee. The big question is whether Japan’s current approach is sustainable. Everywhere, the corporate mismatch of confidence and experience is stark. In its 2023 report on ransomware attacks in 30 countries, including Japan, security group Fortinet found that 80 per cent of respondents were at least “very” concerned about the threat and 78 per cent described themselves as “very” or more prepared to thwart a breach. Yet 50 per cent of the respondents said their organisations had fallen victim to such an attack