Hong Kong’s corporate cyber security index fell by 6.3 | Hong Kong | Privacy Ordinance

[The Epoch Times, November 15, 2023](Epoch Times reporter Zeng Xiaoxun reported in Hong Kong) The Office of the Privacy Commissioner of Hong Kong and the Hong Kong Productivity Council yesterday announced the results of the “Hong Kong Enterprise Cybersecurity Readiness Index and Privacy Awareness” survey report , with 100 points being the highest, this year’s “Hong Kong Enterprise Cyber ​​Security Readiness Index” index recorded 47 points, a decrease of 6.3 points from last year, which was the largest decline since the establishment of the index.

The “Hong Kong Enterprise Cybersecurity Readiness Index” consists of four categories: “Security Policy Risk Assessment”, “Technical Control”, “Process Control” and “Building Employee Awareness”. This year, “Process Control” (68.1 points) continues to lead all sub-categories. The index ranks first and belongs to the “management ability” level. However, “Technical Control” (55.1 points) dropped sharply by 11.2 points as fewer companies carried out system security patch management and the number of cyber threat defense measures taken by companies also decreased. “Security Policy Risk Assessment” (39.7 points) also fell sharply. As fewer companies conduct network security risk assessments, it fell 8.9 points to an all-time low; in addition, “building employee awareness” continues to stay at a low of 25 points and continues to be an area worthy of attention.

In terms of industries, the financial services industry (64.9 points) and the information and communications technology industry (63.3 points) continue to tie for the “manageable” level. Among them, the information and communications technology industry is the only industry to record index growth this year. On the other hand, manufacturing, trade and logistics (48.6 points) and retail and tourism-related industries (33.3 points) recorded larger declines, falling 8.9 points and 12.5 points respectively, with the latter even falling to the “inconsistent measures” level.

The number of companies that have experienced cyber security attacks increased by 8% compared with last year

The survey also found that 73% of the companies surveyed had suffered at least one type of cyber security attack in the past 12 months, an increase of 8% from a similar survey last year to an all-time high. The increase in numbers is mainly due to more small and medium-sized enterprises being attacked by network security, which is 10% higher than the same period last year. Among them, phishing attacks continue to be the most common type of cyber attack experienced by almost all relevant enterprises (96%), followed by phishing emails (79%) and phishing phone calls (35%). In addition, the survey found that phishing text messages (34%) and social media phishing (16%) were also more common than last year, increasing by 14 and 6 percentage points respectively. Artificial intelligence (AI) or generative AI and emerging phishing attacks using QR codes also recorded 9% and 8% respectively.

Chen Zhongwen, general manager of the Digital Transformation Department of the Productivity Council, said that the results of this survey are worthy of attention. In addition to the “Hong Kong Enterprise Cyber ​​Security Readiness Index” reaching a new low, the main reason is that enterprises have been lax in “cyber security risk assessment”. In addition, “Building employee awareness” continues to hover at a low of 25 points, which also reflects the urgent need to improve employees’ cyber security awareness. The Productivity Council strongly recommends increasing investments in cyber risk assessment, security system management, and cyber threat defense, and also strengthening employees’ cyber security awareness.

This year’s survey also included a survey on companies’ awareness of privacy. It was found that 76% of the companies surveyed found that there was no difficulty in complying with the Privacy Ordinance, but they believed that “data processing is becoming increasingly complex”, “lack of employee knowledge or education”, “Insufficient resources” are the three major challenges that companies consider to comply with the Privacy Ordinance. In addition, more large enterprises will implement or adopt different measures to protect privacy and data. Nearly 80% of large enterprises have implemented relevant measures, but only 54% of small and medium-sized enterprises.

Personal Data Privacy Commissioner Chung Liling recommended that companies, regardless of size, should take measures to protect personal data privacy, such as implementing privacy management systems and formulating personal data leakage contingency plans and reporting mechanisms, strengthening employee training and network security awareness, and strengthening data protection. Security and governance. ◇

Editor in charge: Chen Zhen