Record 73% of Hong Kong businesses hit by cyberattacks in past year while company readiness suffers big drop, privacy watchdog poll finds

Hong Kong’s privacy watchdog has urged businesses to devote more resources to cybersecurity after a survey found nearly three out of four companies polled had encountered attacks, the highest figure since the annual survey began in 2018.

The Office of the Privacy Commissioner for Personal Data also announced on Tuesday the launch of three new services to tackle rising cybersecurity threats, including a data security website, hotline and self-assessment electronic toolkit.

“We have been seeing an increase in the trend of cybersecurity attacks,” said Ada Chung Lai-ling, privacy commissioner for personal data. “Its imperative for all enterprises, whether it is a big corporation or SME, to devote sufficient resources to protect themselves from all these kinds of cyberattacks.”

The annual survey carried out by the office and the Hong Kong Productivity Council statutory body found 73 per cent of respondents had been hit by cybersecurity attacks in the past 12 months, up by 8 percentage points, year on year, and the highest proportion since the index was introduced in 2018.

Companies’ overall preparedness had fallen to 47 from 53.3, out of a scale of 100, and the biggest drop on record.

The survey, carried out in September, queried 378 companies across six sectors, with those in retail and tourism scoring 33.3 in terms of overall preparedness, a 12.5 point drop from last year, and the lowest of all types of business polled. Financial services scored the highest, at 64.9.

The privacy office said the drop was mainly caused by worsened “technology controls”, such as improper management of software security patches, as well as a decline in the number of companies carrying out security risk assessments.

CEO of Hong Kong’s Cyberport to step down, sparking search for new boss

Chung said staff awareness of the risks was a cause for concern, noting it remained the lowest scoring category at 25.2 – nearly unchanged from last year.

Cyber threats such as phishing scams were growing in sophistication owing to the emerging use of generative artificial intelligence and QR codes, making staff vigilance even more critical, she said.

According to the findings, 96 per cent of companies that reported being victims of cybersecurity attacks were affected by phishing scams – where the attackers trick users by using fake email accounts or other deceptive means.

“Awareness has to be enhanced,” Chung said, adding such attacks would easily trick users into providing their personal data to scammers.

Hackers obtain 7,200 email addresses from Hongkong Post

Chung urged local enterprises to conduct security risk assessments on a regular basis, and invite external assessors to review IT systems. She suggested companies provide cybersecurity training to all staff and perform practice drills on a regular basis.

Alex Chan Chung-man, general manager of the digital transformation division of the Productivity Council, suggested businesses that might be hindered by a lack of investment and human resources make use of antivirus tools able to distinguish between real and malicious websites.