It’s time for the government to be more proactive on cybersecurity in Hong Kong, tech experts say.
Photo: Network Box Security Operations Centre in Hong Kong. Credit to Michael Gazeley.
Neither government nor businesses in Hong Kong are prepared for a major cybersecurity breach, and faster action is needed to gear up against the catastrophic blow one could inflict on the city, according to tech experts. Out-of-date systems that leave HK weak in the face of cyberattacks have already cost SMEs billions in minor attacks, but the damage incurred by a large virus could be far worse.
Charles Mok, Chairman of LegCo’s IT panel, feels that no preparation is ever enough. “My biggest worry is that our government and public infrastructure providers are too complacent to the rapidly changing landscape of cybersecurity,” he says, “and they take things for granted that the old ways of preparedness and protection are enough. They never are.” These “old ways” Mok refers to include critical infrastructure task forces where members meet a few times a year to share threat information among a small group of companies and with the government.
Business asleep at the firewall
In 2018, more than 75% of SMEs in Hong Kong were victims of an attack, while companies and residents suffered losses of up to HK$2 billion in the year’s first nine months. Despite the multitude of damages, only a third of them reviewed their security protection but did not initiate any further preventative measures.
Hong Kong business’s lack of updated software leaves them poorly protected and ill-prepared to handle the consequences of cyberattacks large or small. Government facilitation and pushing education around the subject are imperative to prevent the costs of an inevitable large-scale breach of Hong Kong’s cyber infrastructure.
Michael Gazeley of Network Box surmises it is necessary for the government to step in and create a mandatory standard of security measures which cyber systems should meet. Or else, he says, people will not take the appropriate measures to protect themselves from cyberattacks. “What baffles me is [that] to block 99.9999% of recurring attacks is a matter of really just ensuring the basics,” says Mr Gazeley. If not taken care of by the company itself, patching and software security updates could be outsourced to ensure that their systems are protected.
Finance: Make them do it
Joshua Chu, ONC Lawyers’ Consultant specialising Technology Law, emphasises the importance of standardising the level of education surrounding cybersecurity. “It’s not just a campaign advertising the need for one, it’s actually a matter of education requirements.” Mr Chu then drew comparison from existing practices within financial institutions in Hong Kong where responsible officer(s) have mandatory AML training requirements which is prescribed by relevant rules and regulations; Mr Chu posits that there should be similar mandatory requirements for tech-related training especially in financial institutions of which whilst are the crown jewel of the city, remains very much vulnerable. It was emphasised that mandatory tech-training would make financial institutions much safe from cyber attacks, if not at least much more prepared to respond to such incidents. By implementing such requirements, the result will be an increase of the public’s confidence towards the integrity of the jurisdiction’s financial institutions as HK moves further into the digital age.
Whilst the issue of poorly protected systems are not a problem exclusive to Hong Kong, the SAR should nonetheless take more proactive action in order to set itself apart from the herd.
This year the Hong Kong Insurance Authority introduced a set of cybersecurity guidelines called the GL20, which will be enforced in 2020. Mr Chu noted, however, that “it is a very short guideline [but] educating the public is more important… if people aren’t even aware of them then they are just paper and words… it’s a start but it’s not sufficient.”
Dominic Wai, partner in charge of emerging technologies and financial crime practice at ONC Lawyers, further adds that whilst the Insurance Authority may not want to push too hard with the current set of guidelines, but if larger incidents happen in the future “they might escalate” the GL20 to include more proactive components. All in all, it is a common consensus that the SAR government and companies should be urged to make cybersecurity a priority.
Printer: R&R Publishing Limited, Suite 705, 7F, Cheong K. Building, 84-86 Des Voeux Road, Central, Hong Kong