Executive Summary

As the world's knowledge workers were driven home amid a pandemic and cases of ransomware ran rampant across the internet, measuring the world's most critical businesses’ internet exposure has become more important than ever. In this round of Internet Cyber-Exposure Reports (ICERs), researchers at Rapid7 evaluate 5 areas of cybersecurity that are both critical to secure to continue doing business on and across the internet, and are squarely in the power of CISOs, their IT security staffs, and their internal business partners to address.

1. Authenticated email origination and handling (DMARC)
2. Encryption standards for public web applications (HTTPS and HSTS)
3. Version management for web servers and email servers (focusing on IIS, Nginx, Apache, and Exchange)
4. Risky protocols unsuitable for the internet (RDP, SMB, and Telnet)
5. The proliferation of vulnerability-disclosure programmes (VDPs)

In this report, we examine the internet-facing cyber-exposure of the top companies listed on Japan's Nikkei 225. Each section is accompanied by real-world, practical advice that practitioners can start implementing today. Note that this advice is not only for those CISOs who are privileged to hold positions in Nikkei 225 companies, but also for those security experts who find themselves in business and regulatory relationships with members of this prestigious collection of corporations.

Through the first half of 2021, Rapid7 is releasing reports measuring these 5 critical areas of cybersecurity fundamentals across 5 of the most advanced economies of the world:

1. The United States Fortune 500²
2. The United Kingdom's FTSE 350³
3. Australia's ASX 200⁴
4. Germany's Deutsche Börse Prime Standard 314⁵
5. Japan's Nikkei 225 (this report)

Key Takeaways

The paper is divided into 5 detailed sections covering the areas mentioned above, and the overall takeaways of this research are as follows:

• Nikkei 225 email security posture is lagging behind the US and UK. At the beginning of 2021, email security among the Nikkei 225 isn't keeping pace with its peers in the US and UK. While DMARC adoption in the US and UK hovers around 50%, only about 13% of all the surveyed companies operating in Japan have any DMARC records configured, and of those, 25 out of 29 (about 86%) are set with a p=none (or passthrough) policy. In other words, only 4 (under 2%) of the Nikkei 225-listed companies are taking active measures to protect their brands, employees, and customers through DMARC p=quarantine or p=reject policies.

• Exposed, dangerous services are less of a concern in Japan. While dangerous protocol exposures of Windows Remote Desktop (RDP) file-sharing (SMB), and Telnet continue to be an issue across the surveyed companies, it does not appear to be nearly as much of a problem as we've seen among the U.S.-based Fortune 500: For RDP and SMB, over 90% of the Nikkei 225 had no exposure.

• Telnet and HSTS remain concerning, however. Telnet is a different story; about 27% of the Nikkei 225 has some legacy telnet exposed to the internet. Additionally, when we looked at secure HTTP (HTTPS) deployment, we found that while HTTPS is standard for 100% of the Nikkei 225 companies, very few listed companies (18%) have implemented HSTS directives to ensure that HTTPS infrastructure is actually being used all the time.

• Version dispersion is on the right track in Japan. Only 16 companies in the Nikkei are running their own Exchange servers (rather than managed cloud instances), and of these, about 75% are running at least 1 instance of the latest supported version. That said, we did count 93 distinct versions of Apache, 75 distinct versions of Nginx, and 17 distinct versions of IIS in the Nikkei 225.
• The Japanese Technology sector stands alone in vulnerability disclosure. Nearly all of the 16 VDPs we found across the 225 surveyed companies are either in the Technology sector proper, or in tech-heavy Consumer Goods companies. So, while this is pretty good for Japanese tech, it's not great for the rest of the Japanese businesses that have not normalized VDPs for their products and infrastructure.

With these key findings in mind, the remainder of this report explores each of the 5 areas of cybersecurity measurable in the Nikkei 225.

Before you dive in, we want to note that if your organization was and/or still is impacted by those events, you may be feeling like you are spending most of your time and energy dealing with emergencies rather than being able to focus on some of the more chronic issues outlined in this report. Since our goal is to help organizations become (and remain) safe and resilient, we have an appendix just for you. Consider jumping there first before tackling the sections below.

• ¹ https://indexes.nikkei.co.jp/en/nkave/index?type=index
• ² https://www.rapid7.com/research/report/2021-industry-cyber-exposure-report/
• ³ https://www.rapid7.com/research/reports/2021-industry-cyber-exposure-report-uk
• ⁴ https://www.rapid7.com/research/report/2021-industry-cyber-exposure-report-anz/
• ⁵https://www.deutsche-boerse-cash-market.com/dbcm-en/instruments-statistics/statistics/listes-companies