As an example of Toshiba Group’s measures to achieve cyber resilience, the report looks at efforts in Security Incident Response Training. This is used to verify whether Response to Supply Chain Risks measures that were enhanced last fiscal year in anticipation of potential incidents are operating efficiently and smoothly.
The report summarizes the following initiatives in Response to Supply Chain Risks, which aim to prevent security holes*1 and realize thorough, omission-free risk management.
- Product Vulnerability Management that visualizes the number of vulnerability notifications for shipped products, the response status for each one, and vulnerabilities whose response deadlines are approaching
- Utilization of Attack Surface Survey*2 that objectively evaluates the security level of business partners
- Human Resource Development and Enlightenment, such as cyber security training and e-learning courses on the importance of supply chain security
Toshiba Group has long positioned supply chain risk as an important issue. In 2019, it established Toshiba Product Security Quality Assurance Guidelines for Suppliers (Software Edition), and since then has implemented initiatives that include distributing and disseminating the guidelines to business partners, collaborating with procurement departments, and requesting contractors to strengthen their security. Recent years have made it clear that cases of cyberattacks in one part of a supply chain can lead to damage in the entire chain, and last year Toshiba Group took countermeasures a step further.
With Security Incident Response Training to enhance security operations, Toshiba Group is actively advancing automation of “prediction and detection” and “response and recovery” processes, and the utilization of threat intelligence*3, and is implementing initiatives to minimize the impact of security risks on corporate activities. In the previous fiscal year, with the participation of major Group companies in Japan, Toshiba Group conducted training that simulates actual incidents, to confirm whether systems and workflows such as information sharing between related parties, communication pathways, decision points, and advance preparations, are all in place to support an appropriate response to incidents. Toshiba Group has taken the findings and issues from the training and is utilizing them for the next round of training. The Group continues to promote initiatives to achieve cyber resilience, such as conducting training that includes overseas Group companies and implementing follow-up education.
Going forward, Toshiba Group will continue to fulfill its accountability requirement regarding cyber security. It will ensure that stakeholders have a correct understanding of initiatives by publishing detailed reports on policies, strategies, and specific measures for ensuring security, both on its website and the in the cyber security report.