The Hong Kong Productivity Council (HKPC) today (25 April 2018) released the results of the inaugural “SSH Hong Kong Enterprise Cyber Security Readiness Index Survey”, which reports an Overall Index at 45.6 (maximum being 100) - indicating that while Hong Kong companies apprehend the need to ensure business continuity in case of cyber attacks and have applied consistent IT security measures, but there still exists room for improvement in security management and proactiveness to combat new cyber threats.
Conducted independently by HKPC, sponsored by enterprise cyber security solutions provider SSH Communications Security, and supported by the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) of HKPC, the survey assesses the readiness of Hong Kong companies in tackling today’s cyber threats. The Overall Index comprises four areas, including the comprehensiveness of ‘security risk assessment’, ‘technology controls’, ‘process controls’ and ‘human awareness’ of the enterprises in securing their critical IT systems. In this survey, telephone interviews with 350 enterprises from six industry sectors were conducted in March 2018.
The survey found that none of the four component sub-indices were above the 60 desired security readiness mark with those for ‘technology controls’ (36.9) and ‘human awareness’ (38.8) even below the 40 acceptable mark. In terms of industry sectors, Financial Services (60.5) was the most vigilant while Retail/Tourism-related (41.9) and Manufacturing/Trading/Logistics (41.3) came bottom of the list.
The survey also found that 26% of the respondents had encountered external cyber attacks in the past 12 months, with ransomware (52%), phishing email (49%) and CEO scam (35%) being the top three types of attacks they experienced.
The respondents were also surveyed on the use of credential management to secure their operation. Credentials such as passwords, encryption keys and digital certificates are information used to authenticate a user or device to access network services. Although 70% of the respondents regarded credential management as important, over 60% felt that a lack of responsive management and fine-grain control have made its less effective.
In addition, 43% of the respondents plan to enhance cyber security in the coming 12 months, with system and network security solution, end point security, cyber security training, threat detection technology and cyber threat intelligence the top five areas of their investment.
Mr Wilson Wong, General Manager (IT) of HKPC, said, “In the last year we have seen cyber criminals exploiting software update mechanism in the upstream of supply chain to bypass enterprises’ defenses. Growing integration in the supply chain such as in Fintech and smart manufacturing might be the next attack target. To this end, HKCERT has recently published a security guideline on understanding and tackling supply chain attacks for the industries to prepare better in this area.”
Mr Wong advised that enterprises should conduct thorough cyber security risk assessment of partners who will connect to the enterprises’ IT infrastructure and impose strict access controls to enhance management of third party risks. Also, they are encouraged to apply cyber threat detection technologies and collaborate with industry peers in sharing cyber threat information. In addition, cyber security awareness training should be provided for all staff with regular security drills being held to keep everyone alert.
* * *
Tel: 2788 5045
Fax: 2788 5056
25 April 2018