Hong Kong’s Cyber Security Readiness Report

The Hong Kong Productivity Council Cyber Security (HKPC Cyber Security) and the Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) have released a study that elucidates the state of cyber security readiness and privacy awareness among enterprises in Hong Kong.

The “Hong Kong Enterprise Cyber Security Readiness Index and Privacy Awareness” report reveals a significant and concerning 6.3-point drop in the “Hong Kong Enterprise Cyber Security Readiness Index,” marking the largest decline since its inception. This index, which measures the preparedness of enterprises to face cyber threats, now stands at 47.0 points out of a maximum of 100.

Notably, both Small-and-Medium Enterprises (SMEs) and Corporates experienced declines in their readiness, with SMEs seeing a 7.1-point drop to 43.6 points and Corporates facing a 4.1-point decrease to 62.5 points. The sub-indices contributing to this decline include “Technology Control,” which plummeted by 11.2 points to 55.1, and “Policy and Risk Assessment,” hitting a record low of 39.7 after an 8.9-point decrease. “Process Control” remains the top-performing sub-index at 68.1 points, indicating a “Managed” level of readiness.

However, the “Human Awareness Building” sub-index remains a significant area of concern, stagnant at 25 points, emphasising the critical need for improvement in employees’ cyber security awareness.

By business sector, the Financial Services sector and Information and Communications Technology (ICT) sector maintained a vigilant stance with scores of 64.9 and 63.3, respectively, categorising them as “Managed.” However, the Manufacturing, Trading, and Logistics sector experienced a substantial drop of 8.9 points to 48.6, placing it at a lower readiness level. The Retail and Tourism-related sector faced an even more significant decline, reaching 33.3 points and falling to the “Ad hoc” level.

The survey revealed that nearly three-quarters (73%) of the surveyed enterprises encountered at least one type of cyber-attack in the past 12 months, marking an 8% increase from the previous year. This surge is primarily attributed to a higher proportion of SMEs falling victim to cyber-attacks, causing a 10% increase compared to the previous year.

Phishing attacks emerged as the most common type, affecting almost all surveyed enterprises (96%). The report highlighted the evolving landscape of phishing, with smishing (SMS phishing) and angler phishing (social media phishing) gaining prevalence, showing a 14% and 6% increase, respectively.

The General Manager of Digital Transformation of HKPC expressed concern over the survey results, emphasising the urgent need to address issues such as the loosened conduct of security risk assessments, reduced efforts in patch management, and diminished adoption of measures to protect against cyber threats. He underscored the significance of improving employees’ cyber security awareness, especially in light of the persistently low score (25 points) in the “Human Awareness Building” sub-index.

In response to these findings, HKCERT launched the “All-Out Anti-Phishing” thematic webpage to provide the public with a comprehensive resource on anti-phishing, featuring the latest information and case studies to enhance situational awareness against phishing attacks.

Turning attention to the Privacy Awareness Survey, the report delves into enterprises’ awareness of protecting personal data privacy and their corresponding measures. Enterprises demonstrated awareness of privacy risks associated with emerging technologies, with Generative AI perceived as having the highest level of risk. However, it was noted that, among enterprises using these technologies, only around half provided internal guidelines to address privacy risks.

Approximately 76% of surveyed enterprises indicated little difficulty in complying with the Personal Data (Privacy) Ordinance (PDPO). While 42% claimed compliance with “no difficulty at all,” key challenges perceived by enterprises included the increasing complexity of data processing activities, lack of knowledge or education for employees, and insufficient resources.

In terms of the level of personal data privacy protection in Hong Kong, slightly over half (51%) of the surveyed enterprises held a neutral stance, while 18% considered the level of protection “sufficient” or “very sufficient.” Corporates demonstrated a greater inclination to implement privacy and data security protection measures, with 79% having implemented various measures, compared to 54% among SMEs.

The Privacy Commissioner for Personal Data highlighted the indispensability of personal data privacy protection in safeguarding cybersecurity. She recommended that enterprises, regardless of size, adopt measures such as Personal Data Privacy Management Programmes, data breach response plans, and employee training to enhance data governance and security.

To address the increasing severity of phishing attacks, HKPC Cyber Security introduced “Phishing Defence Services,” offering simulation exercises, analysis, and training based on the results of phishing drills. This initiative aims to enhance employees’ awareness and understanding of different phishing attack techniques.

In conjunction with these efforts, the PCPD launched the Data Security thematic webpage and the “Data Security Scanner” to provide enterprises with a comprehensive resource on data security. The “Data Security Scanner” is a self-assessment toolkit enabling enterprises to evaluate the adequacy of their data security measures for ICT systems.