As cyber threats in Japan surge, will board involvement grow?

Despite billions spent on cybersecurity globally, cybercriminals continue to compromise organizations via a well-defined playbook of discovering the attack surface, gaining access via a vulnerability or phishing campaign, moving laterally in search of high-value data (the ‘crown jewels’), and then holding that data ransom or exfiltrating it for financial or geostrategic returns.

Japan's history of innovation in high-tech industries makes it a prime target for ransomware gangs and nation state actors, but are board directors ready to oversee the risks in their organization? That was the topic of a panel I joined recently hosted by the Japan Board Diversity Network, which seeks to strengthen corporate governance and board diversity in Japan by connecting, inspiring, and training directors and other leaders.

I came away from the experience with the firm belief that today’s CXOs should also be involved in their board of directors ongoing education around cyber resilience.

A souring threat landscape

The discussion was timely as the country has recently seen an uptick in cyber incidents, notably over 200 attacks over the past five years which investigators connected to the same threat actor. Japan also experienced a spike in denial-of-service attacks in December 2024 that mainly targeted financial services firms and e-commerce sites, but also led to delays for more than 20 domestic flights operated by impacted carrier, Japan Airlines.

Researchers at Zscaler have charted this expansion in cyber threats. According to ThreatLabz data, Japan is the 14th most targeted country for ransomware attacks. Malware and phishing attacks also trended upward across the region, year over year.

One of my fellow panelists, Jess Nall, a partner at Baker McKenzie whose firm has a presence in Tokyo, believes Japan’s recent economic rebound has, in part, led to it becoming a greater target. The other factor is the success attackers have had, which has encouraged yet more attacks.  

"Now that threat actors have figured out they can go and extract ransom from Japanese companies and that maybe the cybersecurity is not as robust, I think we're going to continue to see a dramatic uptick in attacks in Japan."

Engaging boards in cyber risk mitigation

All this means boards must take an active interest in cyber risk mitigation for their organizations, and by extension, their economy and national security. This is not only their fiduciary responsibility to their shareholders, but also critical to their organizations’ long-term sustainability.

However, boards will struggle to do this effectively without support from CXOs, who should focus on helping directors answer four key questions:

• What are the company’s mission-critical assets and how are they currently protected?  
• Who might be interested in attacking our organization? State-backed actors? Ransomware groups? Hacktivists? Insiders
• What policies, procedures, or controls have been put in place to prevent or mitigate attacks and how do we know they are effective?
• What incident response protocols are in place if the company is breached and what is the board's role in the response?

Understanding cyber risk is not a matter that’s solved by putting a single specialist on every board, says Ludwig.

"The whole board has a responsibility. You don't have to become a cybersecurity specialist, but you have to at least have sufficient knowledge to ask the important questions. ‘Did we take the right actions? How do we compare to other companies in this space? Are we improving over time?’"

But equally important, CXOs need to answer in language the board understands with meaningful metrics. Building relationships with individual directors is as important as delivering briefings at the scheduled meetings. Ensuring directors have access to the right resources to keep them informed is critical, and to that end, Zscaler’s new monthly board briefing covering cyber and AI risks – 'The Director’s Cut’ – may also be useful.

There are other resources that may be equally valuable to share with directors. Dr. Ludwig, along with Zscaler board director Andy Brown, wrote a book aimed at helping directors understand the importance of zero trust and the “never trust, always verify” approach. This resource helps directors understand why a modern architecture is essential and why the legacy firewall-based ‘castle-and-moat’ approach is now a security liability.

Wherever you are in the world, getting the board ‘on board’ with cyber risk and zero trust is paramount. Educating directors on the importance of adopting zero trust principles – in Japan and beyond – will better prepare them for a future featuring more sophisticated AI-fueled attacks coming in high-volumes from a range of threat actors. We can’t afford for directors not to be on our side.