(Hong Kong, 10 November 2022) The Hong Kong Productivity Council (HKPC) released the results of the “HKT Hong Kong Enterprise Cyber Security Readiness Index 2022” today. The Overall Index rose for the second successive year and surpassed 50 for the first time since the Index began in 2018 to 53.3 (maximum being 100), up 3.7 from last year. SMEs led the surge again, rising 3.1 to 50.7.
The Overall Index comprises of four areas: “Policy and Risk Assessment”, “Technology Control”, “Process Control” and “Human Awareness Building”. This year, “Process Control” performed the best at 73.1 following a surge of 14.4 due to improvements being observed in both privileged access management and data backup management. However, “Human Awareness Building” remained an area of concern with a drop of 2.5 to 25.1.
By sector, “Financial Services” (65.7) continued to be the most vigilant at the “Managed” level, joined by “Information and Communication Technology” (61.1) which posted the highest increase of 8.9. “Manufacturing, Trading and Logistics” (57.5) also went up 8.5.
The survey also found that nearly two-thirds (65%) of the enterprises surveyed have encountered cyber security attacks in the past 12 months, up 24 percentage points from last year. Phishing attacks were the most common type of cyber security attacks being encountered by nearly all enterprises (94%), a significant uplift of 12 percentage points compared with last year. In particular, email phishing (83%) was the most frequently used ploy with vishing (“voice phishing”) (32%) and spear phishing (28%) emerging.
This year, the survey continued to explore the opinions and deployments of the surveyed enterprises on managed security services (MSS) as well as their plans to enhance cyber security. It found that nearly half (49%) of enterprises surveyed have subscribed to MSS. At the same time, 31% of those not using MSS currently and planning to enhance cyber security said they would consider using the service in the next 12 months. Moreover, 48% of enterprise surveyed said a lack of IT support and management staff is their biggest challenge in cyber security management, up 3 percentage points compared with last year.
In addition, the top three most important cyber security services selected by surveyed enterprises included “firewalls/internet” (62%), “emails” (56%) and “solutions on remote access” (50%), of which “solutions on remote access” was up 6 percentage points from last year, indicating higher demand due to the pandemic and the increased adoption of flexi-work location policy. Among those enterprises with plans to enhance their cyber security, 69% of them plan to enhance cyber security in remote access management solutions, up 16 percentage points compared with last year, reflecting that enterprises deem the provision of secure environment in a hybrid workplace to be critically important. Also, 57% of those enterprises with plans to enhance their cyber security would strengthen cyber security training, surging by 11 percentage points compared with 2021.
Mr Alex CHAN, General Manager, Digital Transformation of HKPC, said, “The Overall Index continued to rise, indicating that enterprises are attaching more importance to cyber security and investing more resources on it which is encouraging. Yet, staff security awareness remain the most difficult area to improve. This may be related to the continuous need to strengthen their security awareness as cyber attacks increase in variety, volume and complexity, especially phishing attacks. Therefore, enterprises must regularly conduct cyber security training and update the content to increase staff participation in the cyber security planning of the companies and improve their cyber security behaviours and awareness. In this regard, the HKPC not only provides relevant training courses and organises various activities, but also provides phishing drill services for enterprises to enhance employees' ability to prevent and respond to such attacks. To enhance cyber security readiness to the “Managed” level, Hong Kong companies must formulate a comprehensive cyber security plan, allocate appropriate resources and implement it effectively.”
Mr Steve NG, Head of Commercial Solutions and Marketing, Commercial Group, HKT, said, “In recent years, enterprises have been proactively seeking to drive digital transformation, the pace of which has been further accelerated as more companies implemented hybrid and remote work arrangements during the pandemic. With cyber attacks becoming more complex than ever, enterprises need to step up their cyber security strategies and execution. Faced with a shortage of relevant local talent, there has been an increased demand for managed cyber security services. There is a wide array of managed cyber security service providers on the market. When choosing an appropriate partner, enterprises should take note of whether the service provider possesses all-round accreditation and is capable of comprehensive support, including ISO 27001 and the top professional cyber security accreditations. It is also important for the service provider to offer 24/7 monitoring and assistance across all geographic regions and time zones and has access to intelligence and information on the latest developments of global cyber security threats. On top of catering for large corporations, SME-targeted solutions offer greater agility in terms of operation and budget planning, which may prove more suitable for their needs.
In terms of cyber security support, local enterprises can browse HKPC’s Hong Kong Computer Emergency Response Team Coordination Centre (HKCERT) website to conduct the “Check Your Cyber Security Readiness” online self-assessment and download the recently-published “Incident Response Guideline for SMEs”. In addition, the HKPC's cyber security consultants also provide SMEs with cyber security and privacy assessments, as well as vulnerability scanning and penetration testing services.
Conducted independently by HKPC, supported by HKCERT and sponsored by HKT, the survey assesses the readiness of Hong Kong enterprises in tackling today’s cyber threats. In the survey, telephone interviews with 367 enterprises covering six industry categories were conducted in September 2022. The results of the “HKT Hong Kong Enterprise Cyber Security Readiness Index 2022” can be downloaded from here.