The Hong Kong Productivity Council (HKPC) released the results of the HKT Hong Kong Enterprise Cyber Security Readiness Index 2022. The Overall Index rose for the second successive year and surpassed 50 for the first time since the Index began in 2018 to 53.3 (maximum being 100), up 3.7 from last year. SMEs led the surge again, rising from 3.1 to 50.7. The Overall Index consists of four areas: Policy and Risk Assessment, Technology Control, Process Control, and Human Awareness Building.
In 2022, Process Control performed the best at 73.1 following a surge of 14.4 due to improvements being observed in both privileged access management and data backup management. However, Human Awareness Building remained an area of concern with a drop of 2.5 to 25.1.
By sector, Financial Services (65.7) continued to be the most vigilant at the Managed level, joined by Information and Communication Technology (61.1) which posted the highest increase of 8.9. Manufacturing, Trading and Logistics (57.5) also went up by 8.5.
The survey also found that nearly two-thirds (65%) of the enterprises surveyed have encountered cyber security attacks in the past 12 months, up 24 percentage points from last year. Phishing attacks were the most common type of cybersecurity attack being encountered by nearly all enterprises (94%); a significant uplift of 12 percentage points compared with last year. Email phishing (83%), particularly, was the most frequently used ploy with vishing (voice phishing) (32%) and spear phishing (28%) emerging.
This year, the survey continued to explore the opinions and deployments of the surveyed enterprises on managed security services (MSS) as well as their plans to enhance cyber security. It found that nearly half (49%) of enterprises surveyed have subscribed to MSS.
Concurrently, 31% of those not using MSS currently and planning to enhance cyber security said they would consider using the service in the next 12 months. Moreover, 48% of enterprises surveyed said a lack of IT support and management staff is their biggest challenge in cyber security management, up 3 percentage points compared with last year.
Moreover, the top three most important cyber security services selected by surveyed enterprises included firewalls/internet (62%), emails (56%) and solutions on remote access (50%), of which solutions on remote access were up 6 percentage points from last year, indicating higher demand due to the pandemic and the increased adoption of flexi-work location policy.
Among those enterprises with plans to enhance their cyber security, 69% of them plan to enhance cyber security in remote access management solutions, up 16 percentage points compared with last year, reflecting that enterprises deem the provision of a secure environment in a hybrid workplace to be critically important. In addition, 57% of those enterprises with plans to enhance their cyber security would strengthen cyber security training, surging by 11 percentage points compared with 2021.
The General Manager, Digital Transformation of HKPC stated that the Overall Index continued to rise, indicating that enterprises are attaching more importance to cyber security and investing more resources in it which is encouraging. However, he noted that staff security awareness remains the most difficult area to improve. This may be related to the continuous need to strengthen their security awareness as cyber-attacks increase in variety, volume and complexity, especially phishing attacks.
Therefore, enterprises must regularly conduct cyber security training and update the content to increase staff participation in the cyber security planning of the companies and improve their cyber security behaviours and awareness.
To help with this, the HKPC provides both relevant training courses and organises various activities as well as phishing drill services for enterprises to enhance employees’ ability to prevent and respond to such attacks. To enhance cyber security readiness to the Managed level, Hong Kong companies must formulate a comprehensive cyber security plan, allocate appropriate resources and implement it effectively.
Meanwhile, the Head of Commercial Solutions and Marketing, Commercial Group, HKT stated that recently, enterprises have been proactively seeking to drive digital transformation, the pace of which has been further accelerated as more companies implemented hybrid and remote work arrangements during the pandemic.
As cyber-attacks grow continuously more complex, enterprises must ramp up their cyber security strategies and execution. Faced with a shortage of relevant local talent, there has been an increased demand for managed cybersecurity services.
A wide array of managed cybersecurity service providers are currently available on the market. When choosing an appropriate partner, enterprises must consider whether the service provider possesses all-around accreditation and is capable of comprehensive support, including ISO 27001 and the top professional cyber security accreditations.
It is also important for the service provider to offer 24/7 monitoring and assistance across all geographic regions and time zones and has access to intelligence and information on the latest developments of global cyber security threats. On top of catering for large corporations, SME-targeted solutions offer greater agility in terms of operation and budget planning, which may prove more suitable for their needs.
In terms of cyber security support, local enterprises can browse HKPC’s Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) website to conduct the Check Your Cyber Security Readiness online self-assessment and download the recently published Incident Response Guideline for SMEs.
In addition, the HKPC’s cyber security consultants also provide SMEs with cyber security and privacy assessments, as well as vulnerability scanning and penetration testing services.
Conducted independently by HKPC, supported by HKCERT and sponsored by HKT, the survey assesses the readiness of Hong Kong enterprises in tackling current cyber threats. In the survey, telephone interviews with 367 enterprises covering six industry categories were conducted in September 2022.