HKPC Urges Enterprises to Adopt "Security by Design" to Sharpen IT Security
(Hong Kong, 22 January 2019) The Hong Kong Productivity Council (HKPC) today urged enterprises to adopt "security by design" in IT security to stem data breaches and fend off cyber attacks targeting personal and financial data.
HKPC issued the advice after its Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) reported a 55% year-on-year rise in security incident reports received in 2018, totalling 10,081. For the second successive year, Botnet cases (3,783 cases or 37%) saw the biggest surge, rising by 82%, with Malware (3,181 cases or 32%) and Phishing websites (2,101 cases or 21%) the other principal sources of the reports.
The hike was mainly attributed to the availability of one-stop attack service for criminals with lesser technology skills, lowering the entry bar for cyber attacks; and the receipt of IP addresses of infected local computers for follow up actions in the aftermath of global efforts to take down various Botnets in recent years.
Among the Malware reports, while fewer ransomware incident reports (114 cases) were recorded last year, there were still 2,426 cases of computers being infected with the Wannacry ransomware. Although these computers would no longer be encrypted by Wannacry, their existence reflected failure on the owners' part to take remedial actions.
Analysing the upcoming security trend, HKCERT expects cyber criminals to intensify their attacks against larger organisations which process more personal and financial data in order to maximise the illicit returns. Also, new applications and technologies such as mobile payment services and "Internet of Things" (IoT) devices will entice more attacks due to lower security maturity in awareness and practice.
Moreover, reports of data breaches are expected to be seen more often with the worsening trend of financially-motivated cyber crimes, continuous weak awareness in corporate risk management, and global boom of data privacy regulations, including the General Data Protection Regulation (GDPR) of the European Union, which generally make data breach notification mandatory for all organisations, irrespective of industry or size.
HKCERT urges enterprises to enhance security risk management to negate the threats. On top of not letting "time-to-market" and "convenience of use" override baseline security, they must apply "security by design" in new service and technology development. The process and technology aspects can be tightened through measures such as two-factor authentication, patching security vulnerabilities, secure configuration, reducing exposure to the Internet, and data backup. Also, enterprises should not give excess privilege to staff for convenience and should raise their security awareness. In addition, they must assess security risks arising from partners and service providers.
In the coming year, apart from stepping up its efforts to promote the "Seven Habits of Cyber Security for SMEs" guideline, HKCERT will organise security awareness briefings for those industries processing a lot of personal data, for example travel, hotel or retail industries. It will also embrace social media to disseminate up-to-the-minute security advisory and collaborate with key players in the Internet infrastructure, to promote best security practices as part of a wider effort to maintain Hong Kong as a safe Internet hub.
- Ends -