“Hong Kong Enterprise Cyber Security Readiness Index” Recorded the Largest-Ever Decline in 2023 Actions Required to Bolster Staff Awareness on Cyber Security
(Hong Kong, 14 November 2023) The Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) and the Hong Kong Productivity Council Cyber Security (HKPC Cyber Security) jointly released the results of the “Hong Kong Enterprise Cyber Security Readiness Index and Privacy Awareness” survey report today. The “Hong Kong Enterprise Cyber Security Readiness Index” has dropped by 6.3 points to 47.0 points (maximum being 100 points) compared with last year, recording the largest-ever drop since the launch of the index. Both Small-and-Medium Enterprises (SMEs) (43.6 points) and Corporates (62.5 points) suffered drops of 7.1 points and 4.1 points in the index respectively.
Hong Kong Enterprise Cyber Security Readiness Index
The “Hong Kong Enterprise Cyber Security Readiness Index” comprises four areas including “Policy and Risk Assessment”, “Technology Control”, “Process Control” and “Human Awareness Building”. This year, “Process Control” (68.1 points) continued to rank top among all sub-indices, categorised as “Managed”1 level. However, “Technology Control” (55.1 points) plunged by 11.2 points owing to fewer enterprises having patch management, as well as the reduced number of measures and solutions adopted to protect against cyber threats, while “Policy and Risk Assessment” (39.7 points) also dropped by 8.9 points to its record low as fewer enterprises conduct cyber security risk assessments. Besides, “Human Awareness Building” stayed low at 25 points and continued to be an area which warrants attention.
By business sector, Financial Services sector (64.9 points) and Information and Communications Technology (ICT) sector (63.3 points) continued to be vigilant and maintained a “Managed” level, while ICT sector was the only sector registering an increment in the index this year. On the other hand, Manufacturing, Trading and Logistics sector (48.6, - 8.9 points) as well as Retail and Tourism-related sector (33.3, -12.5 points) suffered more significant drops in the index, with the latter even dropping to “Ad hoc” level.
The survey also found that close to three-quarters (73%) of the surveyed enterprises had encountered at least one type of cyber attacks in the past 12 months, a further uplift of eight percentage points from last year to its record high. The uplift was mainly due to the increased proportion of SMEs having encountered cyber attacks, resulting in a surge of 10 percentage points compared with last year. In particular, phishing attacks continued to be the most common type of cyber attack encountered by almost all of these enterprises (96%). In addition to the major types of phishing attacks such as phishing emails (79%) and vishing (voice phishing) (35%), the survey also found that smishing (SMS phishing) (34%, +14 percentage points) and angler phishing (social media phishing) (16%, +6 percentage points) had become more common compared with last year. In addition, emerging types of phishing attacks, namely phishing using artificial intelligence (AI) or Generative AI and QR Code phishing (Quishing) also recorded a 9% and 8% respectively.
General Manager, Digital Transformation of HKPC, Mr Alex CHAN, said, “The results of this round’s survey deserve attention. On one hand, the ‘Hong Kong Enterprise Cyber Security Readiness Index’ this year recorded the largest-ever drop since its launch, mainly due to the loosened conduct of ‘Security Risk Assessment’, together with the reduced efforts in ‘Patch Management’ and ‘Cyber Threats Protection’ measures adoption. In addition, ‘Human Awareness Building’ sub-index stayed low at 25 points, indicating the urgency of improving employees’ cyber security awareness. On the other hand, the severity of cyber attacks has been increasing. In particular, the proportion of enterprises having encountered cyber security attacks in the past 12 months further uplifted by eight percentage points from last year to the record high at 73%, and over 90% of these enterprises suffered phishing attacks which are becoming more realistic and diverse in types. Humans are always the weakest link in cyber security, where many successful cyber attacks are caused by human negligence. According to the incident report figures compiled by the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), phishing attacks have already accounted for half of the cyber security incidents reported from January to September 20232, signifying that the severity of phishing attacks as one of the major cyber security threats. In view of the above, HKPC strongly recommends enterprises not only to increase their investments in ‘Security Risk Assessment’, ‘Patch Management’, and ‘Cyber Threats Protection’, but also to enhance employees’ cyber security awareness urgently through regular staff awareness training and cyber security drills. Enterprises can also make use of the materials in HKCERT’s recently launched ‘All-Out Anti-Phishing’ thematic page3 to conduct phishing awareness training for their employees.”
Privacy Awareness Survey
The thematic survey this year examined the awareness of protecting personal data privacy among surveyed enterprises and their corresponding measures adopted, as well as their perception towards the level of personal data privacy protection in Hong Kong. The results found that enterprises in general were aware of the risk to privacy in using emerging technologies4, with corresponding average scores ranging from 2.75 to 3.06 (a score of 1 indicates no risk perceived and a score of 5 indicates very high risk perceived5). In particular, these enterprises considered the use of Generative AI having the highest level of privacy risk at 3.06. This was closely followed by Cookies and other online trackers (3.00), cloud computing (2.92) and Internet of Things (2.83). It is worth noting that among those enterprises using these technologies (37%), only around half (48%) of them had provided internal guidelines to address the privacy risks arising from such use. The proportion of enterprises providing internal guidelines on the use of Generative AI was even lower, with only about forty percent (41%) of them having such guidelines.
The survey also found that 76% of the surveyed enterprises see no difficulty or little difficulty in complying with the Personal Data (Privacy) Ordinance (PDPO). 42% actually indicated compliance “with no difficulty at all”. On the other hand, “increasing complexity of data processing activities”, “lack of knowledge or education for employees” and “lack of resources” were the top three key challenges perceived by enterprises in complying with the PDPO. In terms of the level of personal data privacy protection in Hong Kong, slightly over half (51%) of the surveyed enterprises held a neutral stance, while 18% considered the level of protection “sufficient” or “very sufficient”.
Overall, more Corporates would implement or adopt various privacy and data security protection measures. For instance, half of the Corporates (51%) have started implementing or have fully implemented a Personal Data Privacy Management Programme (PMP), but over half of the SMEs (55%) have not considered implementing a PMP. On the other hand, nearly eight in ten Corporates (79%) have implemented different privacy and data security protection measures, including formulating internal policies for handling personal data handling, discussing and recognising the importance of a PMP at senior management meetings, establishing a data breach notification mechanism, and providing employees with privacy-related training. However, the corresponding figure was only 54% among SMEs.
The Privacy Commissioner for Personal Data, Ms Ada CHUNG Lai-ling, said, “Protection of personal data privacy is indispensable in safeguarding cyber security. The PCPD recommends that enterprises, irrespective of their sizes, should take steps to adopt privacy and data protection measures, such as implementing Personal Data Privacy Management Programmes, developing data breach response plans and notification mechanism and strengthening employees’ training on cyber security and their awareness, to enhance the data governance and data security of enterprises.”
The survey was commissioned by the PCPD and conducted independently by HKPC Cyber Security, with a view to assessing the readiness of local enterprises in responding to cyber security threats and gauging public awareness on topics related to privacy. The latest survey was conducted in September 2023, interviewing 378 enterprises from six business sectors6 by telephone.
Download the survey report “Hong Kong Enterprise Cyber Security Readiness Index and Privacy Awareness”:
PCPD Launches the Data Security Thematic Webpage and the “Data Security Scanner"
With the aim of providing enterprises with a one-stop access to information concerning data security and helping them to enhance their capability to protect data and comply with the requirements under the PDPO, the PCPD today launched the Data Security thematic webpage and the “Data Security Scanner” on the PCPD website, as well as the “Data Security Hotline” 2110 1155.
The Data Security thematic webpage enables enterprises to conveniently obtain information related to data security, including security alerts, latest updates on data security, information on data breach notifications, relevant requirements under the PDPO, cases, education materials and other information. Separately, the “Data Security Scanner” is a self-assessment toolkit that enables enterprises to conduct a quick and easy self-assessment on the adequacy of their data security measures for ICT systems.
Access the Data Security thematic webpage:
https://www.pcpd.org.hk/english/data_security/index.html
Access the “Data Security Scanner”:
https://www.pcpd.org.hk/Toolkit/en/
Phishing attacks have been one of the major cyber attacks encountered by the general public with increasing severity, HKCERT has launched the “All-Out Anti-Phishing” thematic webpage to provide a “one-stop” and easy-to-use information portal on anti-phishing, which includes the latest information and case studies to raise the situational awareness of the public against phishing.
Access HKCERT’s “All-Out Anti-Phishing” thematic webpage:
https://www.hkcert.org/publications/all-out-anti-phishing
To enhance employees’ cyber security awareness and to help them understand different types of phishing attacks and the techniques involved, HKPC Cyber Security has launched its “Phishing Defence Services”. In addition to designing phishing campaign/scenarios and conducting phishing drills, the service also includes the provision of analysis and training based on the results of the phishing drills. The latest attacks will be simulated during the drill exercise, allowing participants to better understand the latest developments of and techniques involved in phishing attacks.
Details of HKPC Cyber Security’s “Phishing Defence Services”:
https://www.hkpc.org/en/our-services/digital-transformation/cyber-security/phishing- defence-services
1 The Index is categorised into five levels, ranking from high to low as “Anticipated” (80-100), “Managed” (60-79), “Basic” (40-59), “Ad hoc” (20-39) and “Unaware” (0-19).
2 Source: HKCERT
3 “All-Out Anti-Phishing” thematic webpage: https://www.hkcert.org/publications/all-out-anti-phishing
4 The emerging technologies covered in this survey include “Generative AI”, “Data analytics and work process automation”, “Internet of Things”, Blockchain and related technology”, “Cloud computing” and “Cookies and other online trackers”.
5 Enterprises’ perceived level of risk to privacy in the use of respective emerging technologies was measured on a scale of 1 to 5, with the level of risk from low to high being “1 – no risk”, “2 – low risk”, “3 mid risk”, “4 – high risk” and “5 – very high risk”.
6 The six business sectors covered in this survey include “Financial Services”, “Retail and Tourism Related”, “Professional Services”, “Information and Communications Technology”, “Manufacturing, Trading and Logistics” and “Non-Governmental Organisations, Schools and Others”.
- Ends -
General Manager, Digital Transformation Division of HKPC, Mr Alex CHAN, pointed out that the “Hong Kong Enterprise Cyber Security Readiness Index” has dropped by 6.3 points to 47.0 points compared with last year, recording the largest-ever drop since the launch of the index.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling, introduced the launching of the Data Security thematic webpage and the “Data Security Scanner” on the PCPD website, as well as the “Data Security Hotline” 2110 1155.
The Privacy Commissioner, Ms Ada CHUNG Lai-ling (left), and General Manager, Digital Transformation Division of HKPC, Mr Alex CHAN (right), jointly released the results of the “Hong Kong Enterprise Cyber Security Readiness Index and Privacy Awareness” survey report.
Share with