HK cybersecurity improves but more needs to be done

Marcus Lum

Hong Kong enterprises' cybersecurity readiness slightly improved from last year but still leaves much to be desired, the Office of the Privacy Commissioner for Personal Data revealed yesterday.

The office commissioned the Hong Kong Productivity Council to survey 442 local companies from September to October and found the Hong Kong Enterprise Cyber Security Readiness Index increased by 5.8 percent to 52.8 points out of a maximum 100.

But numbers remained at a "basic level" - the middle of the index's five levels: anticipated, managed, basic, ad hoc and unaware.

The index considers four areas: policy and risk assessment, technology control, process control and human awareness building.

The office said Hong Kong companies did best in process control, up 2.8 points for a "managed" rating.

Technology control and policy and risk assessment also improved to "basic."

Human awareness building did see an improvement but still remains at "ad-hoc" since 2018.

The survey found that only 35 percent of enterprises had provided cybersecurity awareness training and only 24 percent had conducted drills to enhance cybersecurity awareness.

Productivity Council general manager of digital transformation Alex Chan Chung-man said: "Enterprises should enhance their employees' cybersecurity awareness from multiple aspects, including conducting annual cybersecurity awareness training to update their knowledge on the latest trends."

The survey also found that 71 percent of enterprises had experienced at least one type of cyberattack in the past 12 months, down four percent from last year but still higher than in 2022.

Phishing attacks continue to be the most common with 98 percent of enterprises encountering them this year, up two percent year-on-year.

Chan said the government and various organizations also have numerous funding schemes for enhancing cybersecurity, allowing small and medium enterprises to acquire relevant facilities and software for basic system protection even with limited investment.

"The greater the risks, the greater the need for cybersecurity," he added.

Privacy Commissioner Ada Chung Lai-ling said her office has focused on the use of artificial intelligence by enterprises and security measures that they have implemented.

The watchdog found 21 percent of enterprises had been using AI in their operations, with a higher adoption rate among large-scale corporations in excess of 40 percent.

"Enterprises of all sizes have the responsibility to implement data security measures to safeguard personal data privacy while leveraging AI technologies," Chung said.

She also suggested enterprises refer to the office's Artificial Intelligence: Model Personal Data Protection Framework to ensure compliance with the Personal Data Ordinance.