Hong Kong Risk Advisory: Employees Are Major Information Security Threat
Updated: Jun 23
Kevin Scott Caja, Cyber Security Director.
Today's headlines focus on the rapid global increase in cyber-attacks on high profile organisations, individuals, and countries globally. But in Hong Kong, the big threats to Information Security for corporations are not limited to hackers. Employee theft or mistreatment of customer data and supplier details is a problem too.
The risks are especially pronounced for Hong Kong listed companies, who are required by local and foreign regulators and the investment community to protect critical data.
Some of the most damaging information losses recorded by I-OnAsia over the past two decades have involved rogue employees who walk out the door with valuable client information. National security and politics are exciting for the average newspaper reader. However, if you dig deep into the data about major loss events that affect large listed companies, both in Hong Kong and elsewhere, the insider threat is a big problem.
“What is your current staff dismissal policy?
How can staff report suspicious behaviour of a peer?”
At I-OnAsia, we recommend a holistic awareness of the growing threat of cyber-attacks and cyber-crime, including a practical understanding that if you own a business in Hong Kong, your employees pose a threat to information loss.
It starts with good Cyber Risk Management.
I-OnAsia is uniquely positioned to help prepare risk assessments on cyber issues for companies listed in Hong Kong. I-OnAsia maintains a proprietary database of significant operational risk loss events that have caused losses for corporations listed in Hong Kong. The database enables us to bring real-world insights to the boardroom on what are the most likely, and most impact, types of losses to consider in every risk assessment. Informed by the big picture, I-OnAsia is trusted by arms of the Hong Kong government, major Hong Kong multinationals, and other companies operating in Hong Kong to examine cyber risks in a Hong Kong context. This includes an understanding of market standards and local regulatory requirements.
Reviews of systems and processes on a regular basis gives confidence that you good defences to prevent such breaches by both external and internal threats. More than three quarters of global companies said in a recent survey admitted they may have a false sense of security about cyber threats and were not prepared to fend off outsider threats. The survey respondents' admitted weaknesses included: not having formal internet security policies for staff, not using cyber experts (such as I-OnAsia) to test systems, and not having good data backups.
I-OnAsia's very skilled Cyber Security team can help with planning and preparation to prevent losses, and tests cyber security preparedness for Hong Kong companies every year.
If your data was stolen, or lost, how long could your organisation survive?
Is your Business Continuity Plan current, and has it been tested?
No doubt, it is important to keep an eye out for the hacker risk in Hong Kong too.
The hacker threat means that organisations run the risk of operating one day and closing the next if the attack is serious enough.
“Hackers are holding foreign exchange company Travelex to ransom after a cyber-attack forced the firm to turn off all computer systems and resort to using pen and paper.” BBC News
Hackers are targeting small and large businesses alike, exploiting systems vulnerabilities and looking for weaknesses to make money. Local Hong Kong companies, including HKSE listed enterprises, are as vulnerable to an attack as international ones. I-OnAsia is often called in by local businesses in a crisis, post a cyber-attack. Our team has also helped test local I.T. systems, performing what is commonly referred to as vulnerability testing.
Larger organisations around the world enjoy big cyber security budgets and have built robust systems. They are spending big dollars to win the arms race against hackers. But as the cyber protections at large multinationals improve, hackers have more reasons to target less-prepared small and medium sized enterprises, including locally listed companies in Hong Kong.
Small businesses are more vulnerable.
Small businesses hold sensitive data.
Small businesses are vulnerable to phishing attacks.
It is predicted that over the next five years, cyber-crime will cost the global economy 5.4 trillion dollars. This eye watering figure will continue to increase if we don’t start taking measures to combat the threat that cyber crime poses.
So how are these attacks happening?
1. Fraudulent Emails
2. Viruses / Spyware / Malware
4. Unauthorised access
5. Denial of service attacks
Even if you don’t currently have the financial ability or resources to bring in outside expert to test your computer systems and make security recommendations, there are simple, steps you can take to reduce your risk of a cyber-attack:
· Provide employees with cyber security awareness, compile a policy which they understand and can sign to demonstrate what is it you expect of them when using your IT systems.
· Install and update the latest anti-virus software.
· Install a firewall for your Internet connection.
· Download and install software updates for your operating systems and applications as they become available.
· Make backup copies of important business data and information.
· Control physical access to your computers and network components.
· Secure your Wi-Fi networks. If you have a Wi-Fi network for your workplace make sure it is secure and hidden.
· Setup and implement individual user accounts for each employee, with this implemented you can then identify quickly insider threats and isolate them.
· Ensure that employees only get the access they require and review this regularly to ensure that sensitive data is maintained at the highest level.
· Implement a password policy and ensure that passwords are regularly changed by staff to prevent unauthorised access levels.
About The Author: Mr. Kevin Scott Caja is I-OnAsia’s Cyber Security Director. He has been with I-OnAsia's investigations and security risk management team for nearly four years and has an extensive background in Cyber Security related matters and digital forensic investigations. He holds a Bachelor of Science and Information Technology and other I.T. supported qualifications. Clients may contact Mr. Caja with questions about the ever-increasing threat of cyber-attacks which we are witnessing globally and how-to best position yourself to prevent them.