Hong Kong’s smaller businesses think ‘we’re too small to be hacked’ despite hacking experience, insurer finds
- About 70 per cent of smaller businesses surveyed said they had been hacked or had data compromised
- Yet only about half carry cybersecurity insurance in city named a top hacking destination, insurer Chubb reports
Hacking is on the rise in Hong Kong. But many smaller businesses have a “we’re too small to be hacked” mindset that leaves them vulnerable, according to insurance company Chubb.
Chubb surveyed 300 of Hong Kong’s small and medium sized businesses and found that seven out of 10 said they had experienced a cybersecurity incident such as hacking or data loss in the past year. Despite this, half of the businesses surveyed had never bought cyber insurance. Fifty-two per cent of respondents also think they are less at risk than large corporations.
“There’s a perception with small businesses that ‘we’re too small to be hacked’,” Chubb Asia-Pacific’s Cyber Underwriting Manager Andrew Taylor said.
He argues that smaller companies actually have a larger exposure as they face the same risks as big businesses but lack the resources for comprehensive protection.
Hong Kong is facing growing cybersecurity threats. The city is ranked among the top five global destinations for cyberattacks, according to a 2018 report by LexisNexis Risk Solutions. Police data shows there was a 55 per cent increase in the number of security breaches from 2017 to 2018 and financial losses due to cybercrime grew five-fold in six years – from HK$340 million in 2012 to HK$2.26 billion in the first nine months alone of 2018.
Businesses can try to protect themselves through network security services as well as insurance, which can cover such things as IT costs for responding to cyber incidents, extortion costs from ransomware, and business interruption.
Hong Kong’s larger corporations as well as government agencies have also suffered, as recent high profile cybercrime cases show.
In November 2018, HSBC’s e-payment app was used to carry out unauthorised transactions involving HK$100,000. The hackers had posed as email service providers and sent out phishing emails to deceive victims into submitting their passwords.
The city’s flagship carrier Cathay Pacific revealed the data of 9.4 million passengers was leaked, including names, dates of birth, passport numbers and identity card numbers. The airline faced heavy criticisms over its handling of the incident as the breach was detected in March but was not disclosed until October.
The computers of Hong Kong’s Department of Health were hit by a ransomware attack in August 2018. The files stored on those computers were encrypted by the malicious software. Fortunately, the computers did not contain confidential information and no data was leaked.
Michael Gazeley, the managing director of security firm Network Box, was not surprised by the survey findings. His Hong Kong-headquartered company offers network security services to clients in Asia, US, Europe and the Middle East.
“Hong Kong [businesses] have a particularly bad attitude about cybersecurity. I’ve been astonished at how major professional bodies who should be advising their members to be careful about this, they themselves do not seem to care,” Gazeley said.
He added that smaller businesses are not just taking risks with their own data but also that of their customers and suppliers.
