More than 50 percent of Japanese companies have no information-security division and 30 percent of them don't have a firewall in their networks, according to a survey of 790 companies with over 100 employees conducted by the Japan User Association of Information System (JUAS) in 2001.
"Users' honest opinion is that they don't want to spend money on something, which isn't directly related to profit making," said Yasuto Nagata, president of the security division of JUAS, speaking at the Security Tech Update Tokyo 2002 conference on Tuesday.
JUAS is a government-funded user organization with 304 member companies from various industries. Its security division, established in 1999, discusses and researches information-security issues.
There are clear differences in awareness of risk and security management between U.S. companies and Japanese companies, Nagata said. U.S. companies have a history of having a security policy, whereas for Japanese companies, it is something completely new. It is more difficult for them to be aware of the importance of a security policy, he said.
"It is always a great challenge for a person in charge of making rules for security policy in Japan. The top management cannot be convinced to spend money on something that doesn't make profit, and end users resist doing something bothersome such as memorizing and inputting identification passwords," Nagata said, urging Japanese companies to be aware of the importance of information security and reform their existing corporate structure.
In addition, it is difficult to estimate the cost of dealing with possible security incidents, Nagata said. For example, nobody can predict how much damage the company would suffer, or the compensation it would have to pay, if its customer database was stolen, or if it accidentally sends out an e-mail virus to its clients, he said.
Another problem is that Japanese companies traditionally tend to have a strong relationship with one particular vendor, relying on what that vendor provides for its entire security system, Nagata said. Because of this approach, there is little competition, and prices of security-related products stay high.
JUAS's security division concluded that what users need is step-by-step guidance on security policy and evaluation of all the vendors' products, so that they can choose products from multiple vendors, Nagata said.
"Japanese companies like to follow and copy what others are doing. For example, when everybody is using Microsoft (Corp.)'s products for security, others rush to them because they think it's safe to use a de facto standard like Microsoft, even though it doesn't have a good reputation on that field," Nagata said.
Most of all, however, users should have a say in what kind of laws on security should be made, Nagata said. "Currently the government is driving the e-Japan initiatives and revising the commercial laws for electronic commerce. If we keep passive about the legal matters, some inconvenient laws for users will be made by the professionals," he said.