Commitment to information security is only lukewarm among companies in Mainland China and Hong Kong, with nearly one-fourth of respondents’ organizations having no budget in this priority area in the next three years.
There were a staggering 40 percent of respondents (most of them are CFOs or CIOs) who have no knowledge whether their organizations have earmarked a budget for information security, according to the joint report by Deloitte China and the Association of Chartered Certified Accountants (ACCA).
In response to digitalization, companies are changing their business models and processes by establishing multiple touch points for stakeholders to interact with them through internet and social media.
These new channels have enabled companies to better engage with their customers, but also exposed them to cyber attacks – which can cause both tangible and intangible damages to their businesses.
Willingness to invest
“Companies are willing to invest in new technology, which have clear benefits for business growth,” says Eva Kwok, Partner, Enterprise Risk Services, Deloitte China.
“When it comes to risk prevention, however, it may not be something that can be easily promoted in the boardroom.”
Kwok adds that companies are actually exposing themselves to critical threats if they cannot improve information security in tandem with their technology adoption.
“It becomes more complicated to handle the situation as emerging technologies such as mobile devices and cloud have become increasingly ubiquitous in our daily life, meaning that companies are having more touch points than ever with external audiences,” notes Kwok.
The report showed that no industry can get away from the potential threat of cyber attacks, with some companies having experienced as many as two or more cyber incidents per month on average.
Interestingly, however, only 28 percent of respondents’ organizations had experienced an information security breach or incident in the past 12 months.
Computer crime rampant in HK
In Hong Kong, computer crime has become more rampant, with the number of cases growing at a compound annual growth rate of 28.8 percent between 2009 and 2015.
During the same period, financial losses due to technology crime have increased by 85.4 percent annually, reaching a historical height of HK$1.8 billion.
Survey respondents can name some of the cyber threats and information security challenges, such as information leakage, lack of documented guidelines, privacy complaint, hacktivism, and lack of compliance to privacy regulations.
However, only 50 percent of the respondents’ organizations had executive responsibility for enterprise-wide information security, and 60 percent of the organizations do not provide training to employees to raise their information security awareness.
Lack of preparedness
When it comes to efficiency in dealing with a security breach or incident, many respondents said it took less than a month to rectify the problem. However, there were plenty of examples of incidents going well beyond this and subsequently incurring more costs.
“A lack of preparedness can often explain the slow response, which can exponentially increase financial loss and give rise to other negative impacts such as reputation damage and loss of sensitive data,” said Kwok.
Kwok cited a separate Deloitte study as saying that the average amount of the time needed to resolve a cyber attack was 32 days with an average total costs of a little more than US$1 million.
The report also covered the legal aspect of cyber security risks, highlighting the increasing focus among regulators in Hong Kong around enhancing the legal structure to support information security.
In the survey, 14 percent of respondents experienced complaints related to non-compliance of data security measures or privacy breaches. The tightening of regulations is expected to drive development of structure and processes around cyber security.
“While everyone’s effort is counted towards consolidating the new frontier of cyber security, accounting professionals are well-positioned to contribute through identifying the critical assets for protection, defining levels of access rights and assessing the cost-effectiveness of security measures,” says Eunice Chu, Head of Policy of ACCA Hong Kong.