Safeguarding Data Security to Stay Competitive
Imagine that late on a Friday after you have left work, you realize that you left the office door open. Sweating, you rush back, conscious of the need to safeguard physical assets. However, have you ever upheld the same level of vigilance in the digital realm? In today’s cyberworld, inadequate protection of invaluable data exposes businesses to potential cyber-threats.
The data at stake includes financial records, compliance documents and sensitive personal customer information. Cyber-criminals are aware that data is the lifeblood of many organizations. A global survey in 2023 found that 94% of organizations had experienced some form of cyberattack.
Data security breaches can be extremely costly. In 2022, a cyberattack at the Australian insurer Medibank, which stemmed from one compromised account, erased AU$1.8 billion in market value in just one day. The financial costs of data breaches are also climbing, with a global average of US$4.45 million per organization in 2023, a 15% increase in three years. Company reputation and customer trust are also at stake.
In this article, I would like to highlight the current state of cybersecurity in Hong Kong and the importance of data security, and outline the initiatives my Office has introduced to protect companies’ digital assets.
The Local Cybersecurity Landscape
To assess the cybersecurity readiness and privacy awareness of enterprises, my Office collaborated with the Hong Kong Productivity Council to publish the “Hong Kong Enterprise Cyber Security Readiness Index and Privacy Awareness Survey 2023” in November 2023. Of the enterprises surveyed, 73% had experienced cyberattacks, including phishing attacks, in the past 12 months – a record high.
Phishing attacks, which deceive recipients into providing sensitive information, were the main culprit, affecting 96% of the enterprises attacked. Alarmingly, these schemes have become increasingly sophisticated. Earlier this year, a finance employee at a multinational company was deceived into transferring HK$200 million to scammers, after being tricked by an AI-generated phishing email and joining a video call that featured deepfake representations of colleagues.
The Readiness Gap and Legal Requirements
Despite the threats, many companies are still unprepared to cope with cybersecurity challenges.
The Hong Kong Enterprise Cyber Security Readiness Index monitors cybersecurity awareness and readiness in the business sector over time. In 2023, the index fell by 6.3 points to 47.0 points (out of 100), its steepest decline to date.
This readiness gap should be examined in the context of companies’ legal obligations to protect personal data that they hold. In Hong Kong, the Data Protection Principle (“DPP”) 4(1) of Schedule 1 to the Personal Data (Privacy) Ordinance (Cap. 486) (“the Ordinance”) requires a data user to take all practicable steps to ensure that any personal data held by the data user are protected against unauthorised or accidental access, processing, erasure, loss or use, having particular regard to:
a. the kind of data and the potential harm if unauthorised or accidental access, processing, erasure, loss or use should occur;
b. the physical location where the data is stored;
c. any security measures incorporated (whether by automated means or otherwise) into any equipment in which the data is stored;
d. any measures taken for ensuring the integrity, prudence, and competence of persons having access to the data; and
e. any measures taken for ensuring the secure transmission of the data.
A data user, being the person who either alone or jointly or in common with other persons, controls the collection, holding, processing, or use of personal data, is therefore under a positive duty to safeguard the security of the personal data held by it by taking all reasonably practicable steps.
Businesses do recognize that there are threats to personal data privacy. Our survey found that companies were aware of the risk to privacy in deploying emerging technologies such as generative AI, the Internet of Things and cloud computing, with average scores ranging from 2.75 to 3.06 (1 indicates no risk perceived and 5 indicates a very high risk perceived).
However, of the companies that use emerging technologies (37%), fewer than half (48%) provide internal guidelines to address privacy risks arising from such use. Notably, over half of SMEs (55%) surveyed had not considered implementing a Personal Data Privacy Management Programme.
The gap in protection is obvious. In light of the increasing cyberattack risk, companies can no longer take a wait-and-see attitude. Rather, they should take proactive steps to enhance data security, which will in turn enhance their sustainability and success in an increasingly competitive business environment.
Harnessing PCPD’s Resources to Enhance Data Security
To protect the privacy of individuals’ personal data and safeguard data security, we recommend that companies adopt a holistic strategy encompassing three elements: prevention, diagnosis and treatment.
To prevent data breaches, businesses should establish a Personal Data Privacy Management Programme to ensure the responsible collection, holding, processing and use of personal data. A Data Protection Officer should also be appointed to ensure compliance with all legal and internal risk control requirements. A Data Breach Response Plan, which should contain a set of procedures to be followed in the event of a data breach, as well as the data user’s strategy for identifying, containing, assessing and managing its impacts, should be in place. The recommended procedures for such a plan can be found in the “Guidance on Data Breach Handling and Data Breach Notifications” (“Data Breach Guidance”) published by my Office.
To promote “diagnosis,” my Office launched the “Data Security Scanner” self-assessment toolkit in November 2023. By completing a questionnaire on data security, companies can assess the adequacy of their data security measures for their ICT systems and obtain advice or recommendations from my Office to enhance their data security measures and to ensure compliance with the Ordinance.
In regard to “treatment” or remedial measures, after conducting the self-assessment through the Data Security Scanner, companies should note any red flags identified by the Scanner and promptly address vulnerabilities. They can refer to the “Guidance Note on Data Security Measures for Information and Communications Technology” published by my Office. This document sets out recommended measures to enhance data security and mitigate emerging threats.
In the unfortunate event that your company suffers a cyberattack and leakage of personal data is suspected, we highly recommend that you notify my Office and the affected data subjects as soon as practicable.
All the above resources and relevant educational or reference materials are available on our data security thematic webpage. Companies requiring further assistance can also call our data security hotline at 21101155.
Making Data Security a Priority
Data, including the personal data of your customers, are valuable assets in this digital era. Inaction or inertia leaves businesses vulnerable to cyberthreats. Taking the simple step to upgrade password requirements or institute a multi-factor authentication requirement for access to information systems will provide additional safeguards against attacks, as will regular security risk assessments and penetration tests.
To quote Benjamin Franklin, “By failing to prepare, you are preparing to fail.” It is imperative that companies ensure data security while leveraging technological advancements to enhance their competitiveness and success.