RegStream

Date: 21 November 2024 

PCPD and HKPC Jointly Release

“Hong Kong Enterprise Cyber Security Readiness Index” Rises by 5. 8 Points Approaching the Level in Year 2022

“Human Awareness Building” Remains at Low Levels

The Office of the Privacy Commissioner for Personal Data, Hong Kong (PCPD) and Hong Kong Productivity Council (HKPC) jointly released the results of the “Hong Kong Enterprise Cyber Security Readiness Index and AI Security” survey today. The “Hong Kong Enterprise Cyber Security Readiness Index” has increased by 5. 8 points to 52. 8 points (maximum being 100 points) compared with last year, approaching the level in year 2022. However, it remains at the “Basic” level1, indicating that there is still significant room for improvement for enterprises.

Both Small-and-Medium Enterprises (SMEs) (48. 4 points) and Corporates (73. 1 points) have recorded increases, up by 4. 8 points and 10. 6 points respectively, with the index for Corporates reaching an all-time high.

Hong Kong Enterprise Cyber Security Readiness Index

The “Hong Kong Enterprise Cyber Security Readiness Index”

comprises four areas including “Policy and Risk Assessment”, “Technology Control”, “Process Control” and “Human Awareness Building”. This year, “Process Control” (70. 9 points) slightly increases by 2. 8 points, continues to rank top among all sub-indices, and is categorised as the “Managed” level. This sub-index has shown an upward trend, rising from 57. 3 points in 2018 to 70. 9 points this year. Similarly, “Technology Control” (57. 3 points) also increases slightly by 2. 2 points compared with last year, up from 36. 9 points in 2018, which was at the “Ad-hoc” level, to 57. 3 points, reaching the “Basic” level. “Policy and Risk Assessment” (52. 1 points) has recorded a significant rebound of 12. 4 points this year, returning to the “Basic” level. Additionally, “Human Awareness Building” increases by 5. 7 points to 30. 9 points this year. However, this area has remained at the “Ad-hoc” level since 2018. The survey found that only one-third (35%) of the surveyed enterprises had provided cyber security awareness training for their employees, and only one-fourth (24%) had conducted drills to enhance employees’ cyber security awareness, indicating that enterprises need to bolster efforts in these two areas.

By business sector, Financial Services sector (68. 3 points) continues to remain at the “Managed” level. On the other hand, although there is an increase for the indices for the Retail and Tourism-related sector (45. 3 points, +12. 0 points) and the Professional Services sector (46. 0 points, +2. 5 points), they remain to be the business categories with the lowest index and their indices are still below the 50-point threshold.

The survey also found that nearly 70% (69%) of the surveyed enterprises had experienced at least one type of cyberattack in the past 12 months, a slight decrease of four percentage points from last year, but the incidence is still higher than that in 2022 (65%). The decreased incidence is mainly due to the reduction in percentage of SMEs experiencing cyber security attacks, which drop by four percentage points compared with last year. Nonetheless, over 70% (71%) of Corporates still experience cyberattacks, similar to the figure last year. Among these enterprises, phishing attacks continue to be the most common type of cyberattack, with 98% of enterprises encountering such attacks this year, an increase of two percentage points year-on-year. In addition to common types of phishing attacks such as phishing emails (79%) and online advertisement counterfeiting other organisations (42%), the survey also found that smishing (SMS phishing) (38%, +4 percentage points) had become more common compared with last year.

General Manager, Digital Transformation of HKPC, Mr Alex CHAN, said, “Although this year’s index rebounds, it remains at the ‘Basic’ level. The improvement is primarily due to more enterprises conducting cyber security risk assessments this year and engaging third-party assessors to evaluate their IT systems. Additionally, ‘Human Awareness Building’ still needs to be strengthened. The lack of awareness among employees could potentially become one of the biggest vulnerabilities in an enterprise’s cyber security. Enterprises should enhance their employees’ cyber security awareness from multiple aspects, including conducting annual cyber security awareness training for all employees to update their knowledge on the latest cyber security trends. The training content should also be tailored based on the roles of the personnel. Furthermore, enterprises need to conduct regular phishing tests and cyber security drills to monitor and address weaker areas. SMEs should also take into account the extent of their risk exposure when considering enhancing their cyber security levels, the higher the risks they need to bear, the higher the level of cyber security they should achieve. On the other hand, nearly 70% of the surveyed enterprises has encountered at least one type of cyberattacks in the past 12 months, with over 90% reporting phishing attacks, a figure like last year. According to the incident report figures compiled by the Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT), the total number of security incidents handled by HKCERT from January to October 2024 reached 10,020, surpassing the total number of incidents in 2023, setting a new record. HKCERT also received reports of 35,379 phishing websites, an increase of 127% compared to 2023, with phishing attack reports accounting for 62. 22%2 of all cyber security incidents. In response, HKPC strongly recommends that enterprises enhance regular employee education and training. In addition to improving employees’ cyber security awareness, enterprises can also refer to the ‘Incident Response Guideline for SMEs’ launched by HKCERT to develop a cyber security incident response plan and conduct regular security audits to identify and rectify potential security vulnerabilities. ”

Artificial Intelligence (AI) Security and Privacy Risks Survey

The thematic survey this year examined the usage of AI of surveyed enterprises and the security measures that they have implemented. The survey results revealed that nearly 70% (69%) of enterprises believe that using AI in their operations pose significant privacy risks. Overall, around one-fifth (21%) of enterprises currently use AI in their operations, with a higher adoption rate among Corporates, exceeding 40% (43%).

Among enterprises that use AI in their operations, around two- thirds (65%) have implemented at least one data security measure, with the proportion being even higher among Corporates, with a figure close to 80% (79%). This suggested that Corporates place greater emphasis on data security compared to SMEs to ensure the security of the data of their AI tools.

The most commonly adopted data security measures include “access control” (41%) and data protection measures (such as data encryption and anonymisation of personal data) (39%). However, fewer enterprises deploy security measures specifically designed for defending against adversarial machine learning attacks (14%) or set up AI related security alerts (13%).

Additionally, three-quarters (75%) of enterprises that use AI in their operations reported that they would not provide data to third parties when using AI. Among those who would provide data to third parties, the majority only share publicly available data (14%) as well as anonymised and aggregated data (8%), indicating that a cautious approach is adopted by enterprises when handling data.

Regarding the incident response plans for personal data breaches, although over 60% (61%) of enterprises which use AI in their operations have established such response plans, only less than 20% (16%) of the plans specifically address AI related incidents.

The survey also found that Corporates have been more proactive than SMEs in providing AI related training and developing policies on AI security risks.

Among the enterprises using AI in their operations, over 80% (82%) of Corporates are currently offering or planning to offer AI related training for their employees, and over 70% (74%) have developed or are planning to develop policies regarding AI security risks. In contrast, only about half of the SMEs (52% and 45%, respectively) have taken these steps. In addition, less than 20% (17%) of the surveyed SMEs plan to increase the use of AI technologies to enhance data security and cyber security in the next 12 months; yet, over 40% (46%) of Corporates have such plans.

The Privacy Commissioner for Personal Data (Privacy Commissioner), Ms Ada CHUNG Lai-ling, said, “The PCPD has been actively promoting data security protection. The ‘Hong Kong Enterprise Cyber Security Readiness Index’ rises by 5. 8 points this year compared with last year, with the index for Corporates reaching an all-time high. AI security is one of the major areas of national security. As the use of AI has become increasingly prevalent, the privacy risks and data security brought by AI cannot be overlooked. Enterprises of all sizes have the responsibility to implement data security measures to safeguard personal data privacy while leveraging the AI technologies. The PCPD encourages enterprises to make reference to the ‘Artificial Intelligence: Model Personal Data Protection Framework’ published by the PCPD to ensure compliance with the relevant requirements of the Personal Data (Privacy) Ordinance when they procure, implement, and use AI and enhance data security. ”

The survey was commissioned by the PCPD and conducted independently by HKPC, with a view to assessing the readiness of local enterprises in responding to cyber security threats and AI security risks, as well as gauging public opinion on topics related to privacy. The latest survey was conducted in September to October 2024, with 442 enterprises from six business sectors3

interviewed by telephone.

Please click here

to download the survey report “Hong Kong Enterprise Cyber Security Readiness Index and AI Security Survey 2024”.

PCPD and HKPC Jointly Launch “Data Security Training Series for SMEs”

To help SMEs enhance their data security, the PCPD and HKPC will jointly roll out the Data Security Training Series in 2025. The series will cover topics including: (i) lessons from data breach cases in recent years; (ii) recommended data security measures; and (iii) how to prevent and handle a data breach incident.

PCPD Launches “Data Security” Package

To strengthen the capabilities of schools, NGOs and SMEs in safeguarding data security and cyber security, the PCPD has launched the “Data Security” Package. Participating organisations will receive five free quotas to join professional workshops and seminars organised by the PCPD upon completion of a free assessment by the “Data Security Scanner”, which will assess the adequacy of their data security measures. In addition, the PCPD has launched the thematic webpage on data security and the “Data Security Hotline” 2110 1155 to provide relevant information and assistance in this regard. Interested schools, NGOs and SMEs are welcome to obtain further information by emailing training@pcpd. org. hk

.

HKPC Launches “Phishing Defence Services”

HKPC continues to enhance its diverse services and support for SMEs, aiming to improve their cyber security awareness and defensive capabilities. To enhance employees’ cyber security awareness and to help them understand different types of phishing attacks and the techniques involved, HKPC has launched its “Phishing Defence Services”. In addition to designing phishing campaign or scenarios and conducting phishing drills, the service also includes the provision of analysis and training based on the results of the phishing drills. The latest attacks will be simulated during the drill exercise, allowing participants to better understand the latest developments of and techniques involved in phishing attacks.

Visit HKPC’s “Phishing Defence Services” for more details:

https://www. hkpc. org/en/our-services/digital-transformation/cyber- security/phishing-defence-services

The Privacy Commissioner, Ms Ada CHUNG Lai-ling (left), and General Manager, Digital Transformation Division of HKPC, Mr Alex CHAN (right), jointly released the results of the “Hong Kong Enterprise Cyber Security Readiness Index and AI Security” survey report.

The Privacy Commissioner, Ms Ada CHUNG Lai-ling, introduced the survey results of the AI Security and Privacy Risks.

General Manager, Digital Transformation Division of HKPC, Mr Alex CHAN, pointed out that although this year’s “Hong Kong Enterprise Cyber Security Readiness Index” rebounds, it remains at the ‘Basic’ level.

- Ends -

1 The Index is categorised into five levels, ranking from high to low as “Anticipated” (80-100), “Managed” (60-79), “Basic” (40-59), “Ad hoc” (20-39) and “Unaware” (0-19).

2 Source: HKCERT

3 The six business sectors covered in this survey include “Retail and Tourism Related”, “Manufacturing, Trading and Logistics”, “Non-Governmental Organisations, Schools and Others”, “Financial Services”, “Professional Services” and “Information and Communications Technology”.