Hong Kong companies have demonstrated a slight increase in their overall cyber security readiness, but still have much room for improvement, according to the Hong Kong Productivity Council (HKPC).
The council's second annual SSH Hong Kong Enterprise Cyber Security Readiness Index Survey showed a 3.7 point increase from the inaugural survey last year to 49.3 out of 100
The survey, conducted by HKPC wit the support of the Hong Kong Computer Emergency Response Team (HKCERT) and sponsoered by enterprise cyber security solutions provider SSH Communications Security, is designed to assess the readiness of Hong Kong companies in tackling today’s cyber threats.
The overall index comprises of four areas: “security risk assessment”, “technology control”, “process control” and “human awareness”.
The survey found that only “technology control” was above the ideal security readiness mark, rising significantly from 36.9 last year to 63.4 this year. The other three sub-indices “security risk assessment”, “process control”, and “human awareness” all recorded a drop from last year. The “human awareness” index posted the biggest drop, decreasing from the 38.8 mark last year to 29.5 this year. It is the only index that fell below the 40 mark (the acceptable score).
“A lack of large-scale cyber attacks last year might have led to a drop in cyber security awareness training and security alerts for staff, hence a lower human awareness among Hong Kong enterprises,” said Leung Siu-Cheong, senior consultant of the digital transformation division at the HKPC.
But the survey also found that 41% of respondents encountered an external cyberattack in the past 12 months, which compares to just 26% in the 2018 survey. The top three attacks faced included phishing (77%), ransomware (42%), and botnets and malware (22%).
Meanwhile nearly two thirds of respondents (63%) did not know how their companies manage third party privileged access to their organization's IT systems or networks. And among the 31% who operated shared accounts with privileged access, the majority (55%) did not impose additional security measures to protect these accounts from abuse.
HKPC said this demonstrates how enterprises commonly ignore third party cyber security risks.
The survey also indicated that the financial sector is the most vigilant in Hong Kong, with an index score of 66. At the bottom end of the list, retail/tourism (44) and manufacturing, trading and logistics (45.8) both scored below the overall average.
“Although enterprises are facing more and complex cyber attacks, the survey found that their security readiness remain a long way off the ideal level, especially in the area of staff awareness,” HKPC chief digital officer Edmond Lai said.
“To address the problem, HKPC has been proactive in its efforts to enhance the cyber security of the local industry.”
Lai stressed the importance of enterprises improving their cyber security through process, technology and people management. This should include better management of third party’s cyber risks and formulation of policies or contract terms to regulate external partners, and restrictions or even bans on the sharing of accounts with privileged access outside the organizations.
Organiations should also conduct regular cyber awareness training, and be willing to share cyber threat information with industry peers to formulate a joint response.