HK enterprises score low on cyber security readiness

The Hong Kong Productivity Council has released the results of it first SSH Hong Kong Enterprise Cyber Security Readiness Index, showing that Hong Kong enterprises have a long way to go to improve their security posture.

The survey, conducted by HKPC and its Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) and sponsored by SSH Communications Security, gave Hong Kong enterprises an overall score of just 45.6 out of a maximum of 100.

None of the four sub-indices – covering security risk assessment, technology controls, process controls, and human awareness – were above the desired security readiness mark of 60.

The indices of technology controls (36.9) and human awareness (38.8) even fell behind the 40 mark, designated an acceptable score.

“On the technology controls front, many enterprises particularly SMEs installed basic security solutions only such as antivirus software and firewalls,” said Leung Siu-Cheong, senior consultant, HKCERT of HKPC. “Most SMEs have not deployed advanced cyber security like threat detection technology and cyber threat intelligence.”

Total scores meanwhile varied by industry, with financial services (60.5) being the most vigilant, manufacturing, trading and logistics (41.3) and retail and tourism (41.9) scored at the bottom of the list.

The survey also found that 26% of respondents had encountered cyber attacks in the past 12 months. Ransomware (52%), phishing emails (49%) and business email compromise – also known as CEO scams (35%) – were the top three attack types.

Furthermore, while 70% of respondents regard management of credentials such as passwords, encryption keys and digital certificates to be important for ensuring security, over 60% believe that a lack of responsive management have made these credentials less effective.

The good news is that 43% of respondents to the survey plan to enhance cyber security in the next 12 months. These companies are focusing their investments on system and network security, end point security, cybersecurity training, threat detection technology, and cyber threat intelligence.

“In the last year we have seen cyber criminals exploiting software update mechanism in the upstream of supply chain to bypass enterprises’ defenses. Growing integration in the supply chain such as in fintech and smart manufacturing might be the next attack target,” HKPC general manager for IT Wilson Wong said.

“To this end, HKCERT has recently published a security guideline on understanding and tackling supply chain attacks for the industries to prepare better in this area.”

Wong urged Hong Kong enterprises to conduct thorough cyber security risk assessment of partners who will connect to the enterprises’ IT infrastructure, impose strict access controls to enhance management of third party risks, enhance cyber threat information sharing and conduct regular cybersecurity training and drills.

Wong also noted HKPC will collaborate with the Office of the Government Chief Information Officer (OGCIO) in cyber security information sharing. Details will be announced in due course.