HK enterprise cyber security readiness index sees largest drop since launch

The “Hong Kong Enterprise Cyber Security Readiness Index” has plummeted by 6.3 points to 47 points (maximum being 100 points) compared with last year, recording the largest drop since the launch of the index.  

The survey was commissioned by the Office of the Privacy Commissioner for Personal Data (PCPD) and conducted independently by Hong Kong Productivity Council Cyber Security, with a view to assessing the readiness of local enterprises in responding to cyber security threats and gauging public awareness on topics related to privacy.  

The latest survey was conducted in September 2023, interviewing 378 enterprises from six business sectors by telephone. According to the survey, both small-and-medium enterprises (SMEs) (43.6 points) and corporates (62.5 points) suffered drops of 7.1 points and 4.1 points in the index respectively.  

This year, “Process Control” (68.1 points) continued to rank top among all sub-indices, categorised as “Managed” level. However, “Technology Control” (55.1 points) plunged by 11.2 points owing to fewer enterprises having patch management, as well as the reduced number of measures and solutions adopted to protect against cyber threats. 

“Policy and Risk Assessment” (39.7 points) also dropped by 8.9 points to its record low as fewer enterprises conduct cyber security risk assessments. Besides, “Human Awareness Building” stayed low at 25 points.

On the other hand, close to three-quarters (73%) of the surveyed enterprises had encountered at least one type of cyber attack in the past 12 months, a further uplift of eight percentage points from last year to its record high.  

The uplift was mainly due to the increased proportion of SMEs having encountered cyber attacks, resulting in a surge of 10 percentage points compared with last year. In particular, phishing attacks continued to be the most common type of cyber attack encountered by almost all of these enterprises (96%).  

In addition to the major types of phishing attacks such as phishing emails (79%) and vishing (voice phishing) (35%), the survey also found that smishing (SMS phishing) (34%, +14 percentage points) and angler phishing (social media phishing) (16%, +6 percentage points) had become more common compared with last year. 

In addition, emerging types of phishing attacks, namely phishing using artificial intelligence (AI) or Generative AI and QR Code phishing (Quishing) also recorded 9% and 8% respectively. 

In terms of privacy awareness, the results also found that enterprises in general were aware of the risk to privacy in using emerging technologies, with corresponding average scores ranging from 2.75 to 3.06 (a score of 1 indicates no risk perceived and a score of 5 indicates very high risk perceived). 

In particular, these enterprises considered the use of generative AI having the highest level of privacy risk at 3.06. This was closely followed by cookies and other online trackers (3.00), cloud computing (2.92) and Internet of Things (2.83).  

Meanwhile, half of the corporates (51%) have started implementing or have fully implemented a Personal Data Privacy Management Programme (PMP), but over half of the SMEs (55%) have not considered implementing a PMP.   

Nearly eight in ten Corporates (79%) have implemented different privacy and data security protection measures, including formulating internal policies for handling personal data handling, discussing and recognising the importance of a PMP at senior management meetings, establishing a data breach notification mechanisms, and providing employees with privacy-related training.  

Alex Chan (pictured right), general manager, digital transformation of HKPC, said, “The results of this round’s survey deserve attention. On one hand, the ‘Hong Kong Enterprise Cyber Security Readiness Index’ this year recorded the largest-ever drop since its launch. On the other hand, the severity of cyber attacks has been increasing."

"In particular, the proportion of enterprises having encountered cyber security attacks in the past 12 months further uplifted by eight percentage points from last year to the record high at 73%, and over 90% of these enterprises suffered phishing attacks which are becoming more realistic and diverse in types. Humans are always the weakest link in cyber security, where many successful cyber attacks are caused by human negligence," he added.

Ada Chung Lai Ling (pictured left), the privacy commissioner for personal data, said, “Protection of personal data privacy is indispensable in safeguarding cyber security. The PCPD recommends that enterprises, irrespective of their sizes, should take steps to adopt privacy and data protection measures, such as implementing Personal Data Privacy Management Programmes, developing data breach response plans and notification mechanism and strengthening employees’ training on cyber security and their awareness, to enhance the data governance and data security of enterprises.”

Related articles:

HK consumer watchdog reveals suspected data leak following 7-hour ransomware attack
Shangri-La's hotels face cyber attacks affecting 290,000 consumers