In the light of the rapid development and growing popularity of emerging technologies such as artificial intelligence (AI), it is imperative to prioritise cyber security in this ever-changing digital landscape. Keeping track of the readiness of Hong Kong enterprises in responding to cyber security threats is crucial for understanding the key risks and pinpointing areas for improvement. To this end, my Office has commissioned the Hong Kong Productivity Council to conduct the “Hong Kong Enterprise Cyber Security Readiness Index and AI Security Survey 2024” (the Survey) to assess the readiness of enterprises in tackling cyber security and AI security threats.
Overview of the Survey
This year, management-level or IT officers from 442 enterprises across diverse industries were surveyed from September to October. The comprehensiveness of their security measures was assessed in the four areas of “process control”, “technology control”, “policy and risk assessment” and “human awareness building”. I am pleased to share that this year’s readiness index rises by 5.8 points, from 47.0 to 52.8 (out of 100) compared with last year, with the index for Corporates reaching an all-time high (73.1 points).
This surge is primarily driven by improvements in “policy and risk assessment” as well as “human awareness building”. Specifically, 13% more enterprises now conduct security risk assessments at the beginning of new projects and when key changes are introduced, while 9% more regularly review critical IT systems. That said, the Survey found that only one-third (35%) of the surveyed enterprises had provided cyber security awareness training for their employees, and only one-fourth (24%) had conducted drills to enhance employees’ cyber security awareness, indicating that enterprises need to bolster efforts in these two areas. Fostering cyber security is a proactive exercise. C-level management plays a pivotal role in integrating cyber security in enterprises’ strategic vision and motivating employees to prioritise this undertaking.
With day-to-day operations shifting online, potential vulnerabilities, whether owing to human errors or inherent technical flaws, can be exploited by hackers. The Survey found that nearly 70% (69%) of the surveyed enterprises had experienced at least one type of cyberattack in the past 12 months, which suggested a slight decrease of 4% year-to-year. While phishing attacks continued to be the most common type of cyberattack (98%) among these enterprises, new forms of phishing using QR codes (quishing) or AI were emerging. As technology advances, phishing attacks may be engineered in a more sophisticated way and on a much wider scale.
As with many other types of enterprises, employees at various levels of a law firm navigate the Internet and handle numerous emails each day. To avoid falling prey to phishing attacks, it is vital to provide regular training to staff members and implement robust data security measures. Ultimately, guarding against cyber security risks is a shared responsibility. Earlier this year, my Office supported the “Ethical Phishing Email Campaign 2024” organised by the Hong Kong Police Force and the Hong Kong Internet Registration Corporation Limited to raise staff awareness about suspicious emails. I strongly encourage law firms to participate in similar campaigns in future.
AI Security and Privacy Risks
Turning to the Survey’s findings on the awareness of AI security, a majority of the surveyed enterprises (69%) perceived that the use of AI in their operations will pose significant privacy concerns. Of the 21% of enterprises that had used AI in their operations, around two thirds (65%) reported that they had implemented at least one data security measure, such as access control or data protection measures, and 61% reported that they had established a personal data breach response plan. Needless to say, as the use of AI becomes increasingly prevalent, enterprises should implement adequate data security measures and ensure that their use of AI remains compliant with the law.
On this note, I advise enterprises to refer to the “Artificial Intelligence: Model Personal Data Protection Framework” (the Model Framework) published by my Office earlier this year. Premised on general business processes, the Model Framework provides internationally well-recognised and practicable recommendations as well as best practices to assist enterprises to procure, implement and use AI, including generative AI, in compliance with the relevant provisions of the Personal Data (Privacy) Ordinance.
“Data Security” Package
To enhance enterprises’ capabilities in safeguarding cyber security, my Office has launched the “Data Security” Package. Upon completing a self-assessment using the “Data Security Scanner” to evaluate the adequacy of their data security measures, participating enterprises will receive free quotas for professional workshops and seminars organised by my Office. We also provide a dedicated webpage offering one-stop access to various data security resources and a “Data Security Hotline” (2110 1155).
Strengthening cyber security is a marathon, not a sprint. In the face of the evolving risks of the digital era, we must not be complacent and react only when a cyberattack hits. We must stay vigilant and be prepared at all times to protect the data in our possession.
The full report of the Survey is available at: https://www.pcpd.org.hk/english/resources_centre/publications/surveys/files/AISecuritySurvey2024.pdf