- Achieving cyber resilience and providing sustainable security throughout the supply chain -

TOKYO—Toshiba Corporation (TOKYO: 6502) has published the English edition of Toshiba Group Cyber Security Report 2023, a summary of Toshiba’s cyber security policy, measures and activities in FY2022.
　
As digitization advances in industry and society, cyberattacks are increasingly targeting social infrastructure control systems and devices, raising the risk of equipment hijackings and forced shutdowns. Toshiba Group is responding with strategies that incorporate the philosophy of cyber resilience, toward realizing total security for information, products, control systems, and data across the supply chain.

As an example of Toshiba Group’s measures to achieve cyber resilience, the report looks at efforts in Security Incident Response Training. This is used to verify whether Response to Supply Chain Risks measures that were enhanced last fiscal year in anticipation of potential incidents are operating efficiently and smoothly.

The report summarizes the following initiatives in Response to Supply Chain Risks, which aim to prevent security holes*1 and realize thorough, omission-free risk management.
- Product Vulnerability Management that visualizes the number of vulnerability notifications for shipped products, the response status for each one, and vulnerabilities whose response deadlines are approaching
- Utilization of Attack Surface Survey*2 that objectively evaluates the security level of business partners
- Human Resource Development and Enlightenment, such as cyber security training and e-learning courses on the importance of supply chain security

Toshiba Group has long positioned supply chain risk as an important issue. In 2019, it established Toshiba Product Security Quality Assurance Guidelines for Suppliers (Software Edition), and since then has implemented initiatives that include distributing and disseminating the guidelines to business partners, collaborating with procurement departments, and requesting contractors to strengthen their security. Recent years have made it clear that cases of cyberattacks in one part of a supply chain can lead to damage in the entire chain, and last year Toshiba Group took countermeasures a step further.
　
With Security Incident Response Training to enhance security operations, Toshiba Group is actively advancing automation of “prediction and detection” and “response and recovery” processes, and the utilization of threat intelligence*3, and is implementing initiatives to minimize the impact of security risks on corporate activities. In the previous fiscal year, with the participation of major Group companies in Japan, Toshiba Group conducted training that simulates actual incidents, to confirm whether systems and workflows such as information sharing between related parties, communication pathways, decision points, and advance preparations, are all in place to support an appropriate response to incidents. Toshiba Group has taken the findings and issues from the training and is utilizing them for the next round of training. The Group continues to promote initiatives to achieve cyber resilience, such as conducting training that includes overseas Group companies and implementing follow-up education.

Going forward, Toshiba Group will continue to fulfill its accountability requirement regarding cyber security. It will ensure that stakeholders have a correct understanding of initiatives by publishing detailed reports on policies, strategies, and specific measures for ensuring security, both on its website and the in the cyber security report.

*1: Information security flaws caused by program defects or design mistakes in computer OS and software
*2 A survey that automatically investigates the status of security measures for externally accessible networks and applications, verifies vulnerable services and potential vulnerabilities, and evaluates the level of security
*3 A general term for information such as security-related threat trends and hacker attacks around the world that supports decision-making on security

■Toshiba Group Cyber Security Report 2023 is available here:
https://www.global.toshiba/ww/cybersecurity/corporate/report.html

■Toshiba Group’s Cyber Security Website
https://www.global.toshiba/ww/cybersecurity/corporate.html