“SSH Hong Kong Enterprise Cyber Security Readiness Index Survey” Up 3.7 Points to 49.3 - Low Human Awareness Keeps Enterprises Short on Cyber Security Readiness
(Hong Kong, 10 April, 2019) The Hong Kong Productivity Council (HKPC) released the latest results of the “SSH Hong Kong Enterprise Cyber Security Readiness Index Survey”, which reports an Overall Index at 49.3 (maximum being 100), a slight increase of 3.7 from the inaugural survey last year - indicating that while Hong Kong companies have applied more resources to tackle cyber attacks and ensure business continuity, there are still rooms for improvement in security management, staff awareness and proactiveness in order to combat with new cyber threats.
The Overall Index comprises of four areas: “security risk assessment”, “technology control”, “process control” and “human awareness”. The survey found that only “technology control” was above the ideal security readiness mark, rising significantly from 36.9 last year to 63.4 this year. The other three sub-indices fell with “human awareness” (29.5) posting the biggest drop, even falling below the 40 acceptable mark. HKPC experts believed a lack of large scale cyber attack last year, similar to those in 2017, might have led to a drop in security awareness among enterprise personnel, waning the effectiveness to raise the cyber security for the enterprise. In terms of industry sectors, Financial Services (66) was the most vigilant while Retail/Tourism-related (44) and Manufacturing/Trading/Logistics (45.8) came bottom of the list with the same ranking as last year.
The survey also found that 41% of the respondents encountered external cyber attacks in the past 12 months, compared to 26% in the 2018 survey. Phishing (77%), ransomware (42%) and other malware and botnet (22%) were the top three types of attacks. HKPC stressed that cyber attacks rose remarkably as some hackers sold email accounts they have stolen to criminals last year.
The respondents were also surveyed on access management for internal and third party. Nearly two-thirds (63%) of respondents did not know how their companies manage third party “Privileged Access”. “Privileged Access” allows internal staff or external partners to navigate an organisation’s IT systems or networks, and perform critical IT functions. Among 31% of them who owned shared accounts with “Privileged Access”, 55% did not impose additional security measures to protect these account from abuse. HKPC experts commented that enterprises commonly ignored third party cyber security risks. In addition, 40% of respondents planned to strengthen cyber security in the coming 12 months with “system and network security solution”, “end point security” and “cyber security training” being the top 3 areas of investment for the second year running.
Mr Edmond Lai, Chief Digital Officer of HKPC, said, “Although enterprises are facing more and complex cyber attacks, the survey found that their security readiness remain a long way off the ideal level, especially in the area of staff awareness. To address the problem, HKPC has been proactive in its efforts to enhance the cyber security of the local industry. Apart from holding conferences, workshops and professional training to raise the security awareness and resilience of enterprises through its Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), HKPC also provides ‘Industry 4.0’ and ‘Enterprise 4.0’ cyber security consultancy services to help enterprise undergoing digital transformation to tackle security threats more effectively.”
Mr Lai urged enterprises to improve their cyber security through process, technology and people management. These include better management of third party’s cyber risks and formulation of policies or contract terms to regulate external partners. They must also apply appropriate security measures and impose strict access controls or even ban shared accounts with “Privileged Access”. Also, enterprises should apply advanced and automatic cyber threat detection technologies. They should share cyber threat information with industry peers and build a joint defence. In addition, cyber security awareness training should be provided to all staff with regular security drills being held to maintain vigilant.
Conducted independently by HKPC, supported by HKCERT and sponsored by enterprise cyber security solutions provider SSH Communications Security, the survey assesses the readiness of Hong Kong companies in tackling today’s cyber threats. In the latest survey, telephone interviews with 350 enterprises from six industry sectors were conducted in March 2019. The full report of the “SSH Hong Kong Enterprise Cyber Security Readiness Index Survey 2019” can be downloaded from http://u.hkpc.org/hkecsi2019.
- End -