A consultant devoted to spreading DNP’s information security expertise

Robust information security systems are imperative for repelling cyber-attacks that can be launched from any corner of the globe, but many Japanese companies remain woefully unprepared. This risk has grown in recent years as many domestic companies have jumped on the internet of things (IoT) bandwagon to streamline their operations but potentially left themselves vulnerable to cyber-attacks. Enter Shunsuke Sato of Dai Nippon Printing Co., Ltd.’s Information Innovation department, who is addressing this problem as a security consultant with a background in the manufacturing sector. Sato, the leader of the BR and Consulting Group in charge of planning and development, is confident that the DNP Group’s vast security knowledge will be crucial in the years ahead. This knowledge has been accumulated while refining DNP’s top-notch security systems for producing credit cards to ensure the company passes strict inspections of its factories by international credit card brands.

  • Gaining the trust of international brand credit card companies
  • Promoting “zero trust” practices
  • Sharing know-how first in financial sector and then elsewhere
  • Information security perception gap between Japan and abroad
  • Demand expected to grow due to increase and sophistication of cyber-attacks

Gaining the trust of international brand credit card companies

DNP started developing integrated circuit (IC) cards in the 1980s and now holds Japan’s top share in manufacturing and personalizing IC cards – a process that deals with personal information and thus requires maximum security. As part of this operation, DNP undergoes annual on-site inspections by international credit card brands to be eligible to manufacture and personalize such cards. DNP must clear meticulous “physical” requirements covering factory arrangements (such as access restrictions and installment of security cameras) and also “logical” elements, including countermeasures against cyber-attacks.

Sato served as a bridge between DNP and the credit card companies by relaying the latter’s strict requirements to factory workers: He translated security-related specifications into Japanese and interpreted during factory inspections. He frequently entered maximum security areas at the several DNP factories that manufacture credit cards – which are off-limit to most employees – when he accompanied the inspectors from those brands. This vast experience acquired on the job helped Sato become the first Japanese to be qualified as an internal security assessor of the Payment Card Industry (PCI) Security Standards Council several years ago.

Now Sato is an up-and-coming security consultant in various industries in addition to the financial sector.

“Introducing IoT equipment, which connects to the internet, has increasingly left industries vulnerable to cyber-attacks, which have become more frequent and sophisticated,” Sato said. “But many Japanese firms’ security countermeasures are still out-of-date by global standards.”

Promoting “zero trust” practices

In 2008, international credit card companies decided to strengthen logical specifications regarding cyber-security measures, a move that significantly toughened regulations at factories producing and personalizing credit cards. The United States and European nations devise cyber-security measures based on “zero trust” policies, meaning that nobody can be trusted. DNP’s security practices had been good before; the toughened regulations demanded even higher standards.

In addition to the standards adopted by many companies, such as holding regular penetration tests and vulnerability assessments, the regulations compelled DNP to delete USB memory after randomly overwriting it more than once and to remove software unnecessary for set tasks from Windows terminals. Other requirements included nullifying or rescinding authorization given to an employee before their resignation date and regularly checking the wireless local area network (LAN) even when wireless equipment is not in use. These regulations, which were founded on a zero trust model, triggered resistance from factory supervisors and workers who initially did not understand the reasoning behind them. The DNP workers were accustomed to the practices of a Japanese company that had long operated based on the belief that human nature is essentially good.

An image of employees ensuring information security at a factory.

But DNP workers eventually adapted to these new ideas. After inspectors explained why the credit card brands were demanding certain security standards be enforced, factory workers reportedly came up with effective security measures that cost less – much to the inspectors’ amazement. “DNP completely changed the mindset of the factory workers and its security measures are now on par with global standards,” Sato said.

For example, security guards at the Ushiku Factory intentionally say “hello” to visitors as they enter, letting other employees know that outsiders are nearby. “This effective security measure does not make visitors feel uncomfortable,” Sato said.

Sato said embracing advanced, overseas ideas about security helped DNP to strengthen its security systems. But it took several years until he became convinced that DNP’s know-how could be used for security consulting.

Proliferating know-how first in financial sector and then elsewhere

In April 2014, Sato compiled a report analyzing a huge data breach that surfaced at the end of 2013, involving a major U.S. retailer. Sato assumed similar reports had already been written. But when Sato explained his analysis results to a credit card company executive, they were, to his surprise, praised as being “timely and novel.” His presentation eventually led to DNP winning a contract to conduct a security vulnerability test for the company.

Sato began handling projects outside the financial sector in 2015. He participated in a DNP project involving a major auto parts maker as an observer. At the time, the auto industry was scrambling to adapt to the arrival of the IoT age, which necessitated tougher security systems, especially for digital keys for computers installed in automobiles. DNP has expertise in managing digital keys thanks to its years of manufacturing and issuing credit cards. “We clinched a contract with a global company because our project members presented a superb proposal,” Sato said. “But beyond that, it was because DNP is a manufacturer so it deeply understands how factories operate, including restrictions that exist in running plants, and how workers do their tasks.”

Information security perception gap between Japan and abroad

“The Japanese manufacturing sector’s awareness of information security has not been high,” Sato said. “However, with the advance of IoT and CASE*1 and the introduction of robotics in factories, this sector has no choice but to connect its equipment to the internet and thus must reinforce its cyber-security measures.” Sato believes it will be difficult for this sector to immediately implement the same security steps as the financial sector, which requires extremely high security measures due to the nature of its business.

“Industries other than the financial sector would get ‘altitude sickness’ if their security levels were elevated too quickly to match the world’s top standards,” Sato said. “We have to propose step-by-step security measures appropriate to their standards, while examining the optimal operational methods and necessary costs.”

Informing clients of cutting-edge security measures elsewhere in the world is a vital part of Sato’s role as a consultant. When Sato gives a presentation, the most commonly asked questions are about cyber-attacks around the world. To answer such questions, Sato must constantly stay abreast of the latest information. He has bookmarked pertinent sites on his smartphone so he can read the newest posts during his commute or other spare time.

Demand likely to grow due to increase and sophistication of cyber-attacks

Demand for Sato’s security consulting services is likely to rise with the expected increase and sophistication of cyber-attacks. “I think the solid expertise DNP accumulated by quickly incorporating the ‘zero trust’ idea will be a major weapon other Japanese companies can use to combat cyber-attacks,” Sato said.

Sato believes industries other than the financial and automobile sectors will need bolstered information security systems in the future. One obvious case in point is the medical care sector. The medical care sector in foreign countries has frequently suffered information security breaches, although Japan has largely escaped such attacks. Sato intends to accept any call for assistance from the medical care industry, and he is coaching his subordinates at DNP to prepare for a surge in demand.

Sato is immersed in work during weekdays, but he enjoys playing the Pokemon Go mobile game with his family on weekends. He walks around his neighborhood to find and capture virtual monsters in the game. Not only is this exercise good for his health, Sato said this downtime is essential for keeping his mind fresh as he prepares for a tough mission in the real world – helping Japanese companies prevent data breaches.

  • *1 CASE is the acronym for Connected, Autonomous/Automated, Shared and Electric, which expresses the ongoing fields of technological innovation in the car industry.
  • * Publication date:  June. 19, 2020
  • * DNP department names, product specifications and other details are correct only at the time of writing. They are subject to change without prior notice.