Information security
Our information security risks relate to all the valuable data we hold. This not only includes details about our customers, consumers, suppliers, and employees, but also information on our business strategy, and our engineering and experimental data, including results from research. The danger is that this important information could be stolen, leaked, or damaged in some way.
In order to minimize this risk, we are committed to continually enhancing our information security framework. We understand the importance of awareness and the role every employee can play in keeping our data safe. We ensure that our regularly updated policies and procedures are shared with and understood by employees, as education is a key component of our broader cyber defense strategy.
IT risk management
The JT Group IT Governance Policy is the top of our hierarchy of IT policies and procedures. This is the bedrock of information security governance. We operate IT controls to support relevant legal and regulatory requirements, specifically how personal and financial information is controlled and processed. IT risk and cyber security have been selected as parts of the main risks by our Board during the top down ERM in 2023. The Senior Vice President, Information Technology has managerial responsibility over the JT Group’s IT Governance systems. We take proactive initiatives by communicate with and report to our board members on a regular base.
Personal information protection
To appropriately protect and ensure the responsible use of data, handling of personal information is conducted in accordance with appropriate laws and regulations specifically as it relates to applicable data protection legislation. In addition, our internal policies set out guidelines for collection, processing, and use of personal information. Through employee awareness and protection technologies, labeling and classifying personal information have now become essential elements in controlling, tracking and protecting information.
Monitoring system
Our IT infrastructure and information security management systems are continuously monitoring to detect cyber threats. Existing security detection systems are systematically assessed by internal and external auditors, ensuring our practices meet the highest standards. As part of our continual improvement strategy to harden our security posture and adapt to an ever-changing threat landscape, we instruct third-party providers to perform vulnerability testing. Simulated cyberattacks are a valuable part of our strategy to find areas for improvement, as well as simultaneously testing our incident response procedures.
Business continuity and incident response
One of our key focus areas is ensuring continuity of critical business processes and reducing risk to financial and/or reputational damage. In the event of a disruptive incident or cyberattack, we have a robust response structure, which is based on the following aspects:
- Our IT Business Continuity Policy describes the efforts of our IT team to support business process continuity. The most important of these processes are detailed below.
| Disaster recovery procedures and plans | Critical IT infrastructure, such as our data centers, has recovery and rehearsal procedures in place to simulate disaster scenarios. This enables us to understand how well procedures are operating and identify any areas for improvement. |
|---|---|
| IT service availability | IT controls are in place to ensure the availability of business-critical IT services in worst-case scenarios. |
| Data backup and restoration | We have efficient data backup and restoration procedures to restore business-critical data within the required timelines. Controls are also in place to protect confidential data and data integrity, in order to minimize business disruption. |
| Incident management | Robust procedures and service level agreements (SLAs) are in place in the event of an incident. Clear investigation and incident post-mortem processes are in place. These help us to understand the root cause of such incidents and prepare for similar scenarios in the future. They also help us avoid repeating the same mistakes. |
Information security training
Our information security awareness strategy empowers our employees to be the first line of defense against cybercrime and attacks. It provides the tools and know-how they need to identify threats and take appropriate action to protect the JT Group.
The JT Group implemented a global bespoke i-secure program, which was established to promote a culture of cybersecurity awareness both at home and at work. This annual learning program is executed at 100% of our locations worldwide, and 88% of all our employees have received information security e-learning. Key behavior indicators allow us to constantly measure the effectiveness of our program. This learning initiative supplements our technological defenses against cybercrime, by ensuring that all employees understand how to better protect our information. We also pay special attention to the cybersecurity risks surrounding executives.
As we increasingly move towards the use of cloud services for data processing, we are re-evaluating risks and strengthening our security defenses. We continually assess the threat to our company using a variety of security intelligence methods. The JT Group realizes “fulfilling moments” through our evolving business operations. This will require technological advances, which in turn will bring new and complex security challenges.
It is the role and responsibility of Information Security to constantly adapt to the ever-changing technical landscape. We are making great efforts to continually improve the security of all areas of our business, with a focus on global collaboration to ensure that the best security practices and defense technologies are used across the JT Group.