Recognizing that threats to information security are becoming more advanced and sophisticated every year, Komatsu is promoting activities to improve information security across the entire Komatsu Group.
Given that cyberattacks have a significant impact on business, Komatsu has established the Computer Security Incident Response Team (CSIRT) to respond to this threat.
Komatsu has established and is operating the CSIRT for its worldwide sites to develop and operate an organizational structure for information security, including the ability to respond to cyberattacks, etc. The role of the CSIRT is to prevent information security incidents from occurring through data gathering, various system-level measures, employee education, and so on. Should an information security incident occur, the CSIRT will take the lead in minimizing damage and restoring the impacted system as soon as possible.
The activities of the CSIRT are reported regularly to the Risk Management Committee, which manages company-wide risks. This is done to share issues with the Committee members, including the president and directors, and thus ensure appropriate operations.
Komatsu believes that appropriately protecting the personal data of its customers, business partners, employees and others is a social responsibility it bears. Komatsu formulates and publishes its principles for the protection of personal data. Through the e-learning opportunities, internal audits and other activities, we thoroughly ensure the appropriate handling of personal data. Overseas, we adapt our efforts to protect personal data to national and regional laws such as the EU’s General Data Protection Regulation (GDPR) and the expectations of society.
Komatsu has built a multilayer defense system combining many system measures to protect information from unauthorized access, virus infection and other threats and to prevent the leakage of data resulting from these threats. For example, we have multiple required processes whenever a person accesses the system from the outside to telework to strictly authenticate individual users.
All Komatsu employees must take regular e-learning courses to increase the knowledge and awareness of all employees handling data and to ensure they are able to handle data properly.
To address the risk of suspicious emails, we organize multiple drills every year where employees simulate the handling of targeted email attacks. Suspicious email drills are also conducted at some affiliates both in Japan and overseas. We are working globally to raise the level of our information security.
The information security of Komatsu Group companies is audited to increase the level of information security throughout the Komatsu Group. Komatsu employees with specialized knowledge audit and advise to increase the effectiveness of these efforts. Conducting audits as a third party with no direct interests helps to ensure independence and impartiality.
In principle, the information security of each group company is audited every three years and Komatsu stays updated on the status of the information security of the group companies.
Komatsu asks its employees, Komatsu Group companies, its distributors and business partners with whom we share confidential business information to follow Komatsu’s information security principles as we continue to effectively support them.
We also encourage our distributors and business partners to conduct periodic checks and meetings on information equipment measures and information management methods and to use our designated information security materials. These activities allow us to communicate the vital importance of appropriate information system management to the safe handling of confidential business information and the achievement of stable business operations and to reduce risks.