Open search panel Close search panel Open menu Close menu

Material ESG Issues 2—Reinforcement of Information Security and Personal Information Protection

Last updated : February 24, 2021

With a full-fledged digital society, risks and opportunities by digitalization are emerging. Against this backdrop, the role of security is expanding. It is no longer simply a defensive measure that protects information assets and gives rise to expenses. Security is also a target for strategic investments aimed at transforming and growing businesses and forming new markets.

As a global ICT corporate group that believes in the potential of digital society, NTT Group is committed to contributing to global cyber-resilience. Further, we will proactively help realize cybersecurity worldwide by providing cybersecure ICT services.

Internal Factors

  • Across a range of fields, such as electric power, life sciences, and agriculture, development of diverse smart businesses based on ICT services
  • One of the world's leading telecommunications and ICT services client platforms

➡ It has become necessary to steadily pursue digital businesses through the protection of information assets and the securing of safe ICT platforms.

Social Demand

  • Increasing sophistication and diversity of cyberattacks
  • Reports of the vulnerability of ICT devices

➡ Due to the importance of cyber-resilience, companies are expected to take security measures, while companies in the ICT industry are expected to strengthen the security of their own products and solutions as well as the security of society overall.

Relevant Laws, Regulations, and Global Trends

  • Growing awareness of security as an important infrastructure and as an issue for the usability of ICT infrastructure
  • Establishment of laws related to the treatment of personal information (enforcement of the General Data Protection Regulation in Europe)
  • Initiatives by respective countries and regions focused on the safety of digital platforms, including IT, operational technology, and the Internet of Things (the EU Cybersecurity Act, various collaborative public-private sector measures for sharing threat information, etc.)

Business Risks
Arising from
Materiality Factors

  • Delay in the digitalization of the socio-economy due to a loss of trust in digital infrastructure
  • Loss of intellectual properties due to cyberattacks
  • Loss of trust in us as an ICT company due to being perceived as a company with inadequate security measures

Business
Opportunities Arising
from Materiality
Factors

  • Increase in market opportunities because clients' management teams view investments in security as contributing to the management of business risks as well as to digital growth
  • Overall increase in opportunities to provide ICT services due to being perceived in Japan and overseas as an ICT company with outstanding security
  • Establishment of competitive superiority by using safe and secure ICT infrastructure to develop solutions

Specific Measures

  • Leveraging of fundamental research and development to strengthen the security of our services and the provision of security solutions
  • Use of advanced technology and external partnership for early detection of and responses to security threats
  • Hiring and development of security personnel and community building
  • Distribution of pioneering knowledge through participation in and contribution to global communities

Policies on Initiatives in the Security Field

Digital society remains in its initial phase, while cybersecurity is in its infancy. Precisely because cybersecurity is in its infancy, rather than wait for the industry to take shape, NTT Group will be in the vanguard of efforts to take the initiative and create the industry.

As the socio-economy digitalizes and the international situation changes, cyberattacks and other security threats are becoming increasingly advanced and serious. In such conditions, NTT Group’s responsibility is to protect the infrastructure of ICT services as well as clients’ information assets and to provide sound platforms with a view to the growth of the digital economy.

In accordance with the medium-term management strategy, NTT Group has defined its mission as supporting the infrastructure of the digital economy and contributing to the construction and development of free, open, and safe ICT platforms. NTT Group must realize its own digital transformation and those of clients in a reliable, safe manner. Moreover, these capabilities should be the reason why NTT Group is the first choice of clients. In other words, our vision is for clients to choose us because we offer security.

Moreover, these capabilities should be the reason why NTT Group is the first choice of clients. In other words, our vision is for clients to choose us because we offer security.

The impact of COVID-19 shows no signs of abating. Although socio-economic activity is beginning to return to previous levels in countries around the world, including Japan, we expect remote working and online activity to increase beyond past levels. This situation represents a new challenge for NTT Group, which provides telecommunications and IT systems. Security will also become an increasingly important issue in the post-COVID world. Realizing our vision for the future will necessitate security across all activities, including customer response, research and development, operations, finance, human resources, and other administrative areas. We are pursuing initiatives aimed at ensuring NTT is considered the number one company in terms of security.

Vision

NTT Group will become the enabler both of its own digital transformation and those of clients.
The Group will be the first choice of clients because it ensures security.

Differentistion Strategy

Provision of Comprehensive Security Solutions Based on Development and Verification that Leverage Business Scale
Demand
Growing demand for comprehensive security
Superiority
Unique position that allows the provision of a wide range of ICT-related services on a global scale
Specific strategies
Development of "verified by NTT" solutions that take advantage of the Company's global operating environment, value chain, and digital transformation
Early Detection of and Rapid Responses to
Security Threats
Demand
Shift in focus toward demand for damage minimization, which is arising from an increased awareness that 100% protection is impossible
Superiority
Advanced analysis capabilities and analysts, such as a SIEM engine, and personnel with a high level of integrity
Specific strategies
Advanced analysis systems and professional support provided by analysts
Development of a Security Workforce with
Common Values
Superiority
More than 3,500 advanced and intermediate cybersecurity personnel who have a shared sense of integrity and are committed to realizing a secure digital society
Specific strategies
Creation a system that uses formal and informal methods to attract, hire, and develop personnel
Cooperation with Stakeholders Aimed at Leading the Dissemination of Knowledge and at Developing a Digital Society
Superiority
The only Japanese company with a dedicated cyber-advocacy team (a team that makes policy recommendations and society-related recommendations)
Specific strategies
Proactive formation of cooperative relationships with major global companies and governments of key countries

We will demonstrate leadership with a view to the sound development of an international digital society and prepare the groundwork for expansion of the ICT services market. At the same time, we will move forward with the rollout of security solutions that leverage advanced technologies and personnel.

Initiatives Aimed at Strengthening Security

Strengthening of the Security of Our Services

We aim to provide safe and secure ICT services, which are an integral part of society's infrastructure and underpin the digitalization of the socio-economy. Therefore, we are strengthening the security of all our services, including our telecommunications equipment, IT service environments, and services related to smart cities and buildings.

Global Coordination

Given the integration of our global businesses, we are also advancing global coordination with respect to security. To facilitate coordination within NTT Group, which spans a variety of different businesses and regions, the Group has introduced a risk-based management approach, built a framework founded on the recommendations of the U.S. National Institute of Standards and Technology, and established common Group standards for identification, protection, detection, responses, and recovery.

Participation in and Contribution of Global Communities

Centered on the United States and Europe, we participate in government and industry initiatives aimed at strengthening cybersecurity and share information on security threats and best practice. Also, we are working with companies and organizations to form communities based on mutual trust.

Progress of Initiatives

Participation in communities in Japan and overseas for the sharing of information on cyberthreats and best practice

  • ICT-ISAC Japan,*1 an organization that facilitates information sharing, collaboration, and coordination in Japan’s ICT industry
  • The global CSIRT community FIRST*2
  • Industry Development Global Initiative Charter of Trust, Charter of Trust, Cybersecurity Tech Accord, CSDE*3

Establishment with ICT companies worldwide of CSDE,*3 an international council for the realization of a secure digital economy

  • Issuance of the IABG*4

In three countries and regions worldwide, coordination with bodies that conduct collaborative efforts aimed at sharing information on and neutralizing cyber-crime

  • Europe: EC3,*5 the United States: NCFTA,*6 Japan: JC3*7
  1. ICT-ISAC Japan: ICT Information Sharing and Analysis Center Japan
  2. FIRST: Forum of Incident Response and Security Teams
  3. CSDE: Council to Secure the Digital Economy
  4. IABG: International Anti-Botnet Guide
  5. EC3: European Cyber Crime Centre
  6. NCFTA: National Cyber-Forensics and Training Alliance
  7. JC3: Japan Cybercrime Control Center

Training of Security Experts

We aim to increase the quality and number of security personnel. In these efforts, Group companies are advancing personnel development measures designed for respective personnel categories and skill level. The rise in cybersecurity threats attendant on the holding of international events necessitates even more countermeasures. Therefore, we are strengthening our security monitoring capabilities and stepping up personnel development.

Thanks to these initiatives, we had approximately 47,000 certified cybersecurity personnel as of March 31, 2019. Of these personnel, 3,500 have become certified as advanced and intermediate cybersecurity personnel by acquiring additional knowledge and practical work experience. Thus, we believe that we have the capabilities to respond as needed when major events are held.

*You can scroll horizontally

Job classification
Title Security management consulting / Security operation / Security development
Level Advanced Security master / Security principal Produce first-rate experts with best performance in the industry
Intermediate Security professional Reinforce the pool of specialists with deep experience and judgment
Beginner Security expert Raise the level of workers who can do their work with the required knowledge

Research and Development Initiatives

As well as the development of technologies for the security of our services, we are focusing efforts on the development of security element technologies. Further, in Palo Alto in the United States, in 2019, we established a new global research center, where pioneering, world-class researchers are tackling projects focused on cybersecurity and encryption technologies. We have also established the IOWN Global Forum, Inc. to facilitate our collaboration with industry-leading companies to formulate security architecture for next-generation communication infrastructures.

Security and Management Systems

The Group CISO Committee leads the construction of a governance system that coordinates the activities of Group companies. In the fiscal year ended March 31, 2020, the Group CISO Committee convened three times, while the Information Security Liaison Meeting met twice. In addition, systems have been put in place for dialogue with the senior management team, which receives regular reports on trends in external threats related to security at the Executive Officers Meeting. Also, management receives timely reports when security incidents occur.

Further, in 2004 we have already established NTT-CERT as an organization for responding to security incidents. NTT-CERT functions as the core of NTT Group’s security efforts and belongs to a Group research center specializing in cybersecurity. Because it can take full advantage of the center’s knowledge, the organization has outstanding technological expertise at its disposal. Moreover, the organization has built networks with cybersecurity organizations in regions worldwide, affording it rapid access to information on global trends and new threats. NTT-CERT informs NTT Group companies about such information, thereby strengthening the security of NTT Group and its clients.

Enhancing Our Ability to Cope with Increasingly Ingenious and Sophisticated Cyberattacks

Looking at Attacks from the Attacker's Perspective

As cyberattacks grow increasingly ingenious in their methods and affect more people, we are having to adopt the attacker’s perspective in order to strengthen our ability to deal with the attacks. Although recent cyberattacks have not displayed particularly novel technologies, they have become increasingly diverse and ingenious in their methodology and thus more difficult to detect by attempting to infiltrate Group companies and affiliates whose cybersecurity measures are weak and by pretending to represent actual commercial transactions.

Against the backdrop of increasingly unstable world affairs, concerns are growing about cyberattacks stepping up their targets from IT systems to important infrastructure and moving on from economic benefit to the pursuit of political gains.

To minimize the damage from cyberattacks under these circumstances, it is important to adopt the attacker’s mindset and anticipate how and why they will perpetrate an attack.

Understanding the need to augment security measures to protect important Company assets and step up our ability to minimize damage, we are cultivating verification teams with white hacker expertise. They probe our systems and address systematic vulnerabilities from a cyberattacker’s perspective, helping to make our security measures more visible and improve them.

Practical Cybersecurity Training

The ability to respond to recent-day cyberattacks appropriately requires an operational engineer’s technical knowledge. Also, it requires the experience to act appropriately and make decisions swiftly. People responding to cyberattacks must also be appropriately armed with the leading-edge information about cyberattacks, and maintain their ability to judge situations.

Conventionally, this expertise and knowledge has mostly been gained on the job, as employees familiarized themselves with the technological measures and organizational settings required for cyberattacks.

Efficiently training personnel to act of their own accord required time and an appropriate atmosphere.

To address this issue, we have developed a training environment that provides a framework for virtually recreating an actual cyberattack experience, with conditions that emulate an actual attack, and helping employees learn technological and organizational responses. In this way, in addition to employees who have the on-the-job experience that equips them with knowledge about the most recent cyberattack methods, we can help operations engineers who have relatively little experience increase their skills and strengthen their response capabilities.

Summary of key training

  • Experiencing simulated response to sophisticated cyberattacks
  • Catching up with the latest cyberattacks and tools
  • Compliance with global standards (NIST Framework)
  • Line up of 28 training courses in 4 fields (security operations, incident response, forensics, and penetration testing)

Other Beginner and Intermediate-Level Cybersecurity Training

Follow-up training for certified personnel

In the fiscal year ended March 31, 2020, we provided an environment in which all of our approximately 42,000 certified personnel can undergo Web-based cybersecurity training about case studies of recent cyberattacks and incidents. As all employees may become responsible for cybersecurity strategy implementation, we will expand the scope of security education to include all employees as we strive to enhance their security awareness.

Online CTF contest

We adopt a game-based approach in which each company forms teams of up to four people and competes by answering questions related to cybersecurity within a limited amount of time. After the close of the contest, we distribute videos showing explanations of the questions, which was highly effective as a learning tool.

Due to the impact of COVID-19, this fiscal year represented our first online contest, which was attended by 153 people, comprising 50 teams from 12 companies. Through this contest, we expect to increase knowledge and drive up an interest in cybersecurity. By making participation anonymous and entry easy, we aim to continue working to increase interest in security even among employees who do not currently work in that area.

Catalog-based education

We systematize the learning of knowledge and skills required for beginner- and intermediate-level certification, and have built up a catalog of commercially available training programs and made it available to Group companies.

Enhancement of Security Services

To establish its top-class industry position in the field of security, NTT Group is enhancing its presence in the area of application security and DevSecOps (an application development and operational model that incorporates security from the outset) through WhiteHat Security, Inc., a U.S. subsidiary.

In the application security field, WhiteHat provides the tools and services necessary to create and operate software safely, and the company has earned high praise in the market. WhiteHat’s application security platform provides an ongoing risk assessment of organizations’ software assets, incorporates security measures, and makes it possible to achieve DevSecOps.

WhiteHat’s forte in the application security field lies in its ability to test for Web applications’ vulnerabilities using software tools and AI. This is combined with expert verification to reduce false positives in the testing results. In general, designing and producing applications without security vulnerabilities is effective at preventing Web systems from the danger of outside attacks.

By taking advantage of WhiteHat’s strengths, we can efficiently confirm whether security has been ensured at each stage of the process, from application production through to operation. In addition to network and endpoint security, we expect to help ensure more secure system environments by also incorporating security response into the content of application design.

Security Business for Major Corporate Clients

As digital transformation diversifies ICT environments, cyberthreats are becoming ever-more sophisticated, boosting demand for zero-trust security measures that assume internal penetration.

NTT Group’s global operating company (NTT Ltd.) continuously develops and introduces cybersecurity measures that support leading-edge digital transformation. These include the advanced detection of cyberthreats through managed security services and immediate responses to threats through managed detection and response. Further, the company offers DevSecOps, which provides both security and the flexible agile development of applications that are important for digital transformation, as well as microsegmentation-enabled security technologies, which determine the lateral movement of threats that have penetrated from outside or inside (including insiders) and realize access control or isolation on a segment or terminal basis.

Also, in response to the increase in cyberthreats to critical infrastructure, factories, plant equipment, and building automation systems, we are rolling out advanced security solutions catering to industrial control systems and IoT that have unique system compositions, specifications, and environments.

By forming specialized teams in regions worldwide, we are able to offer solutions to clients in a wide range of industries. We resolve clients’ security issues by providing services that cover risk assessment and countermeasures based on leading-edge technologies through to managed security services that detect threats in real-time and respond to incidents.

  • Use of risk assessment to identify issues
    and establish countermeasure policies

  • Use of segmentation and host reinforce
    ment to reduce the risk of shutdown due
    to malware infection or proliferation

  • Threat detection and incident response
    through continuous monitoring

Security Business for Small and Medium-Sized Enterprises

IT is becoming indispensable for businesses. At the same time, regardless of whether their businesses are large or small, all kinds of companies are facing increasing security risks. In particular, many small and medium-sized enterprises lack specialized security personnel. Consequently, some clients are anxious because they feel that their security measures may be inadequate and they do not have anyone to consult with regarding security measures.

Given this situation, NTT Group provides comprehensive security solutions that perform the role of a specialized security manager for clients. Specifically, we provide clients with wide-ranging support that covers everything from normal operations through to the occurrence of incidents. As well as detecting and blocking unauthorized communications, the Group’s services monitor communications status, report on status through the distribution of reports, and support restoration if virus infections occur. Our lineup of services includes Omakase Cyber Mimamori, Omakase Antivirus (NTT East), Security Omakase Plan (NTT West), and Security Support Desk (NTT Communications).

The number of contracts for such omakase-type security services has been growing in recent years. (In Japanese, omakase means “leave it to us.”) Going forward, we will continue creating safe, reliable ICT environments for clients.

Stock Price (Real Time)

- TSE : 9432

Last -

Change -