23rd September 2023 – (Hong Kong) Hong Kong is reeling after the Cyberport tech hub and the Consumer Council were hit by cyberattacks resulting in large-scale data theft. This deals a devastating blow to the city’s reputation as a safe regional business hub, while exposing glaring gaps in cybersecurity preparedness. Urgent action is required to identify vulnerabilities, overhaul defences, strengthen regulation and restore trust.
In August, Cyberport suffered a breach compromising sensitive staff and client data including ID card numbers and credit card details. Barely a month later, hackers encrypted the Consumer Council’s systems and stole data on staff, complainants and partners while demanding a US$500,000 ransom.
These incidents reveal alarming cybersecurity failings among even prestigious public institutions. But most worrying is the lacklustre official response, with privacy authorities merely issuing boilerplate condemnations and reminders about compliance. This head-in-the-sand attitude must end. Hong Kong must implement sweeping reforms to cybersecurity foundations and attitudes before we see a truly catastrophic attack paralysing critical infrastructure or financial systems. Action is needed across five key areas:
Assess systems for vulnerabilities
Organisations must urgently conduct exhaustive audits identifying vulnerabilities in networks, software and processes. Ongoing testing via methods like red teaming should become routine. Audits must probe insider risks alongside external threats.
Cyberport’s breach involved basic remote working security lapses indicating shoddy defences. The Consumer Council meanwhile was apparently oblivious to being hacked for seven hours. Regular aggressive audits could have detected flaws earlier. Audits should also cover emergency incident response plans given the chaotic initial reaction to the Cyberport breach. Drills must confirm organisations can respond decisively to contain damages during attacks.
Overhaul cyber hygiene culture
Alongside systems, staff cybersecurity awareness desperately needs upgrading. The attacks exploited human weaknesses like clicking phishing links, indicating poor cyber hygiene culture.
Mandatory recurrent training is essential, including simulations like fake phishing emails to keep staff alert. Cybersecurity should be ingrained as everyone’s responsibility, not just the IT department’s. Stringent data protection and access policies must be enforced, especially for sensitive personal data. With lax controls, employees may inadvertently expose databases to hackers.
Monitor networks for anomalies
Organisations must monitor networks closely for suspicious anomalies that could indicate intrusions. Cyberport’s hack went undetected for over a week. Early anomaly detection could stem damages.
Logs of activity on databases with sensitive information should be analysed using AI for unusual access patterns that betray insider misuse or external hacking. Data exfiltration activity is also a red flag. Cyber teams must swiftly investigate odd traffic spikes suggesting botnet activity, and erroneous logins indicating brute force attacks. Timely threat detection is key.
Current cybersecurity rules are dangerously outdated, as the Privacy Commissioner’s Office can only issue nominal fines even for major breaches. New protection obligations and penalties are needed for Hong Kong’s digital era. Fines should increase exponentially for companies that flout regulations and fail to report breaches promptly. Penalties should match Europe’s tough GDPR, making non-compliance unacceptably risky.
Stricter cyber insurance requirements could also drive improvements by mandating strong defences for affordable coverage. Insurers can guide companies on boosting protections and preparedness.
Instil urgency on cyber defence
Above all, authorities and companies must recognize cyberattacks as a clear and present danger requiring urgent action, not distant theoretical risks. Cyberport’s CEO dismissed its breach as a one-off incident, missing the call for major change it represents.
Mindsets must evolve to approach cyber risks with the same vigilance devoted to financial threats. Cyber chiefs need resources and authority to regularly stress-test defences and enforce world-class protections.
Business leaders must appreciate cyber risks’ scale and relentlessly drive defences rather than leaving it solely to IT teams. Otherwise, Hong Kong will see even graver attacks that may cripple critical systems.
This perfect storm of two breaches spotlighting comprehensive unpreparedness is Hong Kong’s wake-up call to Get cyber-serious before it’s too late. Half-hearted box-ticking compliance and hopes hackers will not target Hong Kong betray grave naivete. With globally renowned institutions compromised, urgent meticulous reforms to cybersecurity foundations are vital. This includes tighter regulation and penalties. Failure to transform defences, controls and attitudes swiftly will expose Hong Kong to potentially disastrous exploitation.