-Promoting cyber resilience strategy that realizes total security for information, products, control systems and data-

TOKYO—Toshiba Corporation (TOKYO: 6502) has published the English edition of Toshiba Group Cyber Security Report 2021, a summary of Toshiba Group’s cyber security policy, measures and activities in FY2020.

Toshiba Group’s businesses center on energy, social infrastructure, electronic devices, and digital solutions, and the Group is in the process of transforming itself to become an infrastructure services company that supports society and people’s lives. With COVID-19, remote work has become standard practice, and connecting with people remotely is becoming the norm in all spheres of life. This situation leaves businesses increasingly vulnerable to cyberattacks, and increases the urgency of developing cybersecurity systems that can counter determined cybercriminals.

In Toshiba’s core infrastructure services business, the scope of security is expanding from conventional information and product security to include industrial infrastructure sites and cyberspace. Toward realizing total security of information, products, control systems, and data, Toshiba Group is implementing strategies that incorporate the concept of cyber resilience: the ability to minimize and quickly recover from security incidents, including cyberattacks. This concept centers on increasing system uptime (Prepare), reducing any losses in incidents (Mitigate), and shortening the response and recovery time (Response and Recover).

This year’s report details Toshiba’s three key measures for realizing cyber resilience: Governance that clarifies decision-making and command systems; Security Operations that monitor, detect, respond, restore and defend; and Human Resources Development that trains the people needed to develop and operate security systems.

In Governance, security governance of the entire Group is driven by the Toshiba Group CISO Meeting^*, which ensures major Group companies collaborate horizontally across organizational boundaries. Toshiba Group has established mechanisms and rules for identifying and evaluating privacy risks that can be applied prior to the launch of businesses that use personal data.

Security Operations minimizes the impact of security risks on corporate activities by actively promoting the automation of prediction and detection, response and recovery, and the use of intelligence on cyber-threats.

In Human Resources Development, Toshiba promotes security qualification systems within the Group that certify security-related knowledge and technical capabilities for people working in different areas and roles. In order to assess the maturity of CSIRT (Computer Security Incident Response Team) and PSIRT (Product Incident Response Team) and improve cyber security management in individual companies, Toshiba requires Group companies to carry out self-assessments that visualize gaps between current conditions and goals, and indicate measures that need to be taken.

In conjunction with the publication of the Cyber Security Report, Toshiba has renewed its cyber security website, to ensure that details of Group initiatives are reported in a timely manner.

Toshiba Group will continue to fulfill its responsibilities in this crucial area, and ensure that stakeholders understand its thinking, strategies, and specific measures to enhance security, by issuing regular website updates, and the annual cyber security report.

* An internal meeting in which CISO (chief information security officer) of major Group companies participates to plan and evaluate measures concerning the establishment, promotion, assessment, and improvement of the system for cyber security risk management for the entire Toshiba Group.

■Toshiba Group Cyber Security Report 2021 is available here:
https://www.global.toshiba/ww/cybersecurity/corporate/report.html

■Toshiba Group’s Cyber Security Website
https://www.global.toshiba/ww/cybersecurity/corporate.html