For listed companies and their subsidiaries and affiliates
Start with login to feel protected
Start with login to feel protected
What if “PC login” was your company’s biggest blind spot in security?
What if “PC login” was your company’s biggest blind spot in security?
1. Closing the “loopholes” of J-SOX and zero trust
In recent years, unauthorized access based on stolen IDs and passwords has become mainstream in cyber attacks.
According to the IPA’s 2024 report, approximately 80% of information leakage incidents in Japan are caused by misuse of authentication information.
In particular, relying solely on passwords for login authentication for core business systems and PC terminals that can connect to the company’s internal network is no longer an adequate defense. Listed companies that are introducing zero trust security while complying with J-SOX (internal control reporting system) are required to clearly document evidence of “who accessed which terminal, when,” and to fundamentally block unauthorized access.
In this proposal, we will support the strengthening of internal controls, prevention of cyber risks, and implementation of zero trust security through applippli-key, which introduces robust multi-factor authentication (MFA) at the time of Windows login.
2. What is applippli-key?
applippli-key is a solution that protects corporate information assets by adding multi-factor authentication at the time of PC logon.
– Supported OS: Windows 10/11, Windows Server 2016 or later (Mac support planned)
– Authentication method: TOTP (Google Authenticator™ / Microsoft Authenticator, etc.)
– Encryption: AES-256
– Price (excluding tax):
- Client license JPY 600/month (initial fee JPY 8,000)
- Server license JPY 55,000/month (initial fee JPY 100,000)
Features:
– MFA is enforced when logging on to the OS, preventing unauthorized use of in-house PCs
– Covers local environments regardless of whether SaaS is introduced
– Easy to implement and flexibly adapts to existing network designs
– Compatible with virtual environments (on-premise/cloud)
3. Why is MFA necessary for OS login (challenges and risks)
[1] PC login can be a “loophole” in J-SOX
The access control and log acquisition required by J-SOX will not function if the OS login at the entrance is breached. “Terminals that anyone can log into” are a serious risk to internal control.
[2] The limits of password authentication
Dictionary attacks, phishing, reuse, etc. Password authentication is vulnerable, and breaching it can lead to ransomware and information leaks.
[3] Loss of traceability for internal fraud and impersonation
When using shared accounts or loaned PCs, it is unclear who operated them, and it is impossible to trace the responsibility. This is also a problem under J-SOX.
4. Effects of Introducing Applic Key
| Items | Before implementation | After implementation |
|---|---|---|
| Authentication security | Password only. Easy to break through | Reliable identity authentication with one-time password |
| Consistency with internal controls | No logs obtained/unknown evidence | Login records obtained. Can also be used for audits |
| Unauthorized access/malware | Easy to break through authentication and move laterally | Terminal intrusion blocked in advance with MFA |
| Corporate credibility | High accountability burden in case of incidents | Explanation of the proactive measures taken can be provided in J-SOX and audits. |
5. Consistency with Zero Trust and J-SOX
Designed to meet Zero Trust principles
Zero Trust principle is to “verify all access”, OS. logins are no exception. applippli-key helps you build security that does not depend on network boundaries.
Compliance with J-SOX
– Access control: MFA establishes an authentication infrastructure that ‘only the individual can operate’
– Trail management: log-on history is obtained and information necessary for audits is automatically recorded
– Business process development: operation responsibilities are clarified and the risk of unauthorised access is systematically reduced
6. Learning from damage cases
[Case 1] Benesse Corporation: customer information approx. 35.4 million leaked (2014)
– Damage summary: A subcontractor SE extracted customer data from inside the company and sold it to a registrar. The total number of leaked data amounted to approximately 35.4 million, making it the largest leak of personal data in Japan at the time.
– Cause: MFA not introduced. Insufficient access control and monitoring of internal business terminals; data was taken outside the company via USB.
– Damage and impact: extraordinary losses of approximately JPY 26 billion were recorded, including customer response costs and trust restoration costs. The share price also plummeted and public trust was severely damaged.
– Lesson learned: The “internal fraud” is the biggest risk. The importance of technical measures (MFA, log monitoring, data take-out restrictions) in internal control became clear.
– Sources: Nikkei Shimbun (9 July 2014, etc.), Benesse IR materials
[Case 2] NTT Business Solutions: Large-scale information leak by a former temporary employee (2023)
– Summary of damage: A former employee, who was working as a temporary employee, illegally took customer data that was accessible in the course of his work and provided it to third parties, including external directory companies. It was discovered that the data had been provided to a third party, such as an external registrar. The amount of customer data that was feared to have leaked expanded from the 9 million initially announced, and eventually amounted to approximately 9.28 million customer data for 69 companies.
– Cause: Directly due to an internal breach and privileged account management. In this case, temporary employees abused their administrative privileges, but if multi-factor authentication (MFA) had been made mandatory when logging in to the system or terminal in question, and additional authentication and approval processes had been introduced when exercising administrative privileges, the abuse could have been detected and prevented.
– Damage and impact: possible secondary damage from the sale of the information to a registrar. This was one of the largest internal criminal-type leaks in Japan, and NTT filed criminal charges against the former temporary employee involved, as well as notifying and apologizing to the victim.
– Lesson learned: as described in the cause, if MFA or biometric authentication was required, especially when accessing the server under an administrator account, it would have been difficult for anyone other than the individual to log in, which would have deterred the removal of large amounts of data.
– Source: NTT Business Solutions Press Release / Asahi Shimbun (October 2023)
[Case 3] Rasa Industries: A theft of a laptop and information leakage during an employee’s business trip abroad (2020)
– Summary of damage: At Rasa Industries, a major chemical manufacturer, an employee had a briefcase containing a laptop computer for business use stolen during a business trip to Europe. The information that may have been leaked included the names, contact details and other data of a total of approximately 3,140 employees and business partners.
– Cause: The loss of the device due to physical theft.
– Damage and impact: No unauthorised use of personal data has been confirmed to date, but a large amount of information, including that of business partners, may have been leaked outside the company.
– Lessons learned: If MFA authentication had been set up at the time of OS login for this PC, even if a third party had decrypted the login password after the theft, the terminal could not have been accessed without an additional authentication factor, which would have significantly reduced the risk of information leakage.
– Source: security specialist media ‘Security NEXT’ / ‘CYBERGYM JAPAN’ (June 2024).
Other cases are:
– Unauthorised exfiltration of customer information by former employees of Tokyu Community (2021)
– Unauthorised sharing of customer information by four major non-life insurance companies (Sompo Japan Insurance Inc., Tokio Marine & Nichido Fire Insurance Co. Unauthorised sharing of customer information by seconded employees and others at four major non-life insurance companies (Sompo Japan Insurance Inc.)
– Leakage of policyholder information due to loss of laptop computers by employees of Nippon Parking Development (2024).
There have been a number of information leaks due to PC loss and internal fraud in listed companies, including above cases
Common points of these three cases
– Lack of MFA facilitated intrusion, proliferation and leakage.
– Inadequate internal control systems as a company subject to J-SOX gave rise to social and shareholder liability claims.
– Inadequate technical measures + operational rules require extremely high and long-term trust recovery costs.
7. Summary of the proposal
The introduction of the applippli-key will bring the following value to your company’s security regime.
– Complement and strengthen your J-SOX compliance regime by converting OS logins to MFA
– First step into the implementation phase of zero-trust security
– Prevent unauthorised access, impersonation and internal fraud
– Introduction and deployment can be done while reducing the operational load in management and IT departments.
We can make a proposal starting with a PoC (proof of introduction) targeting management and corporate departments first.
We hope you will consider this as part of your cyber security enhancement plan.