Nissin Foods Group building cutting-edge security with a small IT team, Zero Trust, and cybersecurity hygiene

Digital transformation aimed at 200 percent productivity improvement

Based on the medium- and long-term growth strategy it started in fiscal 2021 and the fiftieth anniversary of the launch of its flagship product, Cup Noodles, the Nissin Foods Group is working on three growth strategy themes to realize its vision. For the first theme of improving value, the Group promotes its enhanced cash-generation capacity in existing business to pursue sustainable growth while altering its profit portfolio significantly. For the second theme of value sustainability, the Group focuses on its environmental strategy, Earth Food Challenge 2030, to address effective utilization of finite resources and mitigation of its impact on climate change. For the third theme of making a leap in value, the Group is working on promoting new businesses to pursue foods of the future through collaboration with the food science field. All three of these growth strategy themes demand creative thinking that’s not limited by precedents. This creative thinking must also be applied to the use of IT in supporting the Group’s everyday business, allowing it to deploy measures to stay ahead of the curve.

In its Future Office Project started in 2014, the Group adopted Microsoft 365 (Office 365 at that time) as the communication infrastructure for its offices, in addition to easy-to-carry Microsoft Surface devices. The Group aims to achieve digital workplaces that enable an IT environment that’s comfortable, highly secure, creative, and easy to work anywhere. The Group’s preparations for the 2020 Tokyo Olympic Games turned out to be a key element that helped the Group establish a remote work structure during the COVID-19 crisis, which now serves as the foundation of its hybrid work system structure.

Additionally, the Group proceeded with its Legacy System Termination Project, eliminating mainframes by migrating its enterprise resource planning systems to Microsoft Azure. The Group also thoroughly reorganized its old siloed systems that were locked in different groups, achieving more than an 80 percent reduction of its business systems. The maintenance cost, which was previously nearly 90 percent of the Group’s IT budget, was reduced to approximately 60 percent, resulting in new value-creation outcomes.

In 2014, people were still suspicious about the safety of the cloud. Keita Nakano, Deputy Chief of the Information Planning Department at Nissin Foods Holdings, Inc. (at the time of the interview) describes why the company could decide to deploy the cloud at a large scale amid such skepticism. “The progress of IT is remarkable, and only a handful of people in the world know everything about technology,” he says. “If you think that way, it’s obviously very difficult to manage and control information security without any hardware problems or attacks from outside when we operate servers and networks on our own. In that regard, cloud service providers including Microsoft have a vast knowledge of cyberattacks and offer reliable services and the latest security measures. We concluded that it would be much safer and more productive for us to understand and enjoy cloud services like Microsoft 365 and Microsoft Azure rather than taking the risks in maintaining our own systems.”

Another factor that informed the Nissin Foods Group’s quick decision making was that it had already built Nissin Zero Trust Architecture under the leadership of Teruhiko Iwashita, Section Chief of the Information Planning Division and Information Process Safety Ensuring Assistant Officer at Nissin Foods Holdings Co., Ltd., between 2018 and 2019, and implemented a Zero Trust security framework, a new security concept for the cloud era. “What we were working on in the Future Office Project was to build an IT environment with very high productivity in which we ourselves would want to work,” recalls Iwashita. “I considered how we could ensure the security for such an attractive environment, and we designed our own Zero Trust security architecture.”

Safeguarding approximately 48,000 user IDs across domestic and overseas companies

Based on its Nissin Zero Trust Architecture, the Zero Trust strategy at Nissin Foods Holdings Co., Ltd. continues to evolve steadily. Iwashita recalls that the first key point was the company’s 2019 deployment of Microsoft Defender for Office 365 to protect against email-based attacks. “When we think about measures against targeted attacks, what we should be focused on is the potential attack route through the email system,” he says. “So, we deployed Defender for Office 365 to enhance our email security, and we were successful in preventing business email fraud, a fraud in which an attacker impersonates as the business owner of the target company, which was one of the major attack methods at the time.”

The next turning point was enhancement of device security with a combination of Microsoft Defender for Endpoint and a security operations center (SOC) provided by an external IT partner. In 2020, Nissin Foods Holdings, Inc. decided to halt approximately 3,000 of its employees from coming to work as of February 26, the early stage of COVID-19 in the country. The move to telecommuting all at once required a highly secure and reliable environment to enable strong device security. “Besides the security measures at the entry point provided by Defender for Office 365, measures to address devices infected by malware and viruses are also essential,” explains Iwashita. “We then deployed Defender for Endpoint to enable AI-based device monitoring utilizing Microsoft’s vast amount of knowledge. However, the volume of alerts from 3,000 users’ devices is quite significant, which includes overdetection and false positives. So, it was difficult for our Information Planning Department to analyze the detected contents, make decisions, and continue or restore business operations. We turned to an external SOC that offers continuous monitoring and advanced analysis and response measures, which allows us to troubleshoot problems with less user downtime.”

Adds Iwashita, “We’ve successfully protected our systems from Emotet, one of the major malware strains these days, thanks to measures based on Defender for Office 365 and Defender for Endpoint. The first wave of Emotet attacks took place between August and October 2020, followed by the second and third waves. As of March 2022, we received many attack emails—five times greater than in the first wave—but haven’t experienced any damage so far.” The measures enabled by Defender for Office 365 and Defender for Endpoint demonstrated clear and recognizable effectiveness. “So, we were ready to move forward with a more comprehensive security strategy through Microsoft 365 E5 Security. We procured Microsoft Defender for Office 365 and Microsoft Defender for Endpoint separately, but we could create a proposal with solid reasons for a Microsoft 365 E5 Security contract by providing clear results how they prevented the attacks we actually had.”

“The main point of our Zero Trust security plan is to suspect, verify, and determine who (ID), what (device), and from where (network),” continues Iwashita. “Because devices and networks have their own IDs, we put Azure Active Directory (part of Microsoft Entra) at the center of the authentication foundation of our Zero Trust security strategy.”

Accelerating security enhancements for the entire group by involving management

The Nissin Foods Group has been evolving its Zero Trust security strategy through a phased approach. What’s surprising is that the Information Planning Department, consisting of only three members, has realized the entire Group’s security measures from 2014 to 2021. “We don’t have significant budget or resources,” explains Iwashita. “When we deployed Microsoft 365 as a communications platform in 2014, it only covered 1,800 users across five domestic companies. In 2022, approximately 5,000 users across 24 domestic and overseas companies are using Microsoft 365. Few organizations are capable of managing so many user accounts with only three security staff. I often hear people at IS departments at other companies say, ‘We can’t do it because we don’t have the budget or enough resources.’ I think the branching point is whether you consider how to achieve a goal and make a first step toward it or simply give up.”

Adds Nakano, “The company’s unique corporate culture played a major role to enable this advanced information security with only three non-dedicated security staff.” A good example of this is how the management guidelines were clarified for the Nissin Foods Group’s information security. In accordance with the “Cybersecurity Management Guidelines” by the Ministry of Economy, Trade and Industry, the company’s management reported “Three principles which management needs to recognize” (see below) to the Executive Committee. “We simply applied the recommendations of the Ministry of Economy, Trade and Industry to the context of the Nissin Foods Group, but we weren’t fully sure if it worked. As a result, however, we’ve been able to help the stakeholders understand the ‘Three principles which management needs to recognize’ and accelerate security enhancements across the entire Group. One achievement was the launch of the Supply Chain Purification Project as part of the Nissin Foods Group’s unique DX initiative, Nissin Business Transformation, which is stated in its current medium- and long-term growth strategy. Management leadership plays a critical role to implement security measures that cover the supply chain, including business partners and contractors.”

Three principles which management needs to recognize (from the Cybersecurity Management Guidelines by the Ministry of Economy, Trade and Industry):

1. Corporate executives need to recognize cybersecurity risks and take leadership in driving cybersecurity measures.
2. Security measures need to be taken not only for the company itself but also for the supply chain, including business partners and outsourcing companies.
3. Companies need to communicate appropriately with relevant stakeholders, for example, by disclosing information on cybersecurity risks and measures in normal times and in times of emergency.
   
   

For this initiative, Nissin Foods Holdings, Inc. was selected as a digital transformation (DX)–engaged company in 2021 by the Ministry of Economy, Trade and Industry. In 2020, the company was selected as a DX Stock 2020 because of a series of initiatives, including the creation of a digital workplace for a 200 percent increase in productivity, the Legacy System Termination Project, and promotion of remote work during COVID-19. The Group has received a great deal of industry attention for two consecutive years.

Getting immediate results with cybersecurity hygiene

Although the Nissin Foods Group’s commitment to Zero Trust security is an endless journey, Iwashita stresses that it has already achieved significant results in the initiatives the Group has put into practice so far. The performance results through fiscal year 2020 (March 2021), represented by numbers, illustrate his point. “We’re not an IT company,” he says. “Moving to the cloud and promoting Zero Trust security are about contributing to the business. Our effort achieved ¥55.5 billion in value in FY20, which is more than double ¥23.9 billion in FY13. Additionally, the total annual working hours per person was reduced to 1,990 hours in FY20, 207 hours less in comparison with 2,197 hours in FY13. Based on eight working hours per day, 207 hours is more than a whole month. Such an increase in productivity is a huge achievement, indeed.”

Iwashita concludes that the company would deploy and implement “cybersecurity hygiene,” a concept that requires comprehension of all terminals' and systems' health in real time, to address any immediate vulnerabilities and maintain a healthy environment. “First, we want to create an environment at Nissin Foods Holdings to implement cybersecurity hygiene and automate various processes by strengthening coordination across the Group and by further expanding the range of AI applications,” he says. “Safety and security are the crucial elements to create our ideal IT environment with high productivity. Although it’s quite challenging to create an environment maintaining constant health of devices and systems, we continue to work toward it. We now can implement a variety of measures through our Future Office Project and Legacy System Termination Project. The Group’s complicated system environment caused by individual optimization in its long history will be a very simple system. A consistent solution enabled by Microsoft 365 and Microsoft 365 E5 Security will help us achieve that.”