For Hong Kong Organizations
We thank JC Legal for providing the answers to these questions.
Q: What are the different types of cybersecurity risks?
A: In today’s ever-evolving digital age, organizations are increasingly at risk of cybersecurity attacks, which may take various forms, leading to loss, corruption and unauthorized access of data. Some of the common type of cybersecurity attacks that organizations may face in their day to day operations include:
- Malware attacks – Malware is malicious software coded to attack compromised computer systems. It typically infiltrates systems when a user clicks into a dangerous link or downloads an e-mail attachment that installs the malicious software.
- Ransomware – One common form of malware that prevents users of the targeted organization from accessing their IT systems until a ransom is paid. Ransomware is often carried out via a Trojan delivering a payload disguised as a legitimate file.
- Phishing – This occurs when Internet users disguise themselves as known individuals or trustworthy organizations to obtain sensitive information such as usernames, passwords and credit card details from you. These incidents typically occur via e-mails, instant messaging, forged websites or social media.
- Distributed Denial of Service (“DDoS”) – This is an attack that focuses on disrupting service to your network by sending high volumes of traffic through the network until it becomes too congested and can no longer function.
Q: Should civil society organizations (CSO) in Hong Kong be concerned about cybersecurity risks? If so, why?
A: Yes, all organizations should be concerned as the number of cybersecurity and IT security breaches is growing year-on-year. In Hong Kong, for instance, the Privacy Commissioner for Personal Data (“PCPD”) received 129 reports of data breaches 2018, an 80% increase compared to 2014. Further, a study carried out by Microsoft that same year indicated that 48% of organizations surveyed in Hong Kong have either experienced a cybersecurity incident or are not sure if they had one as they have not performed proper forensics or for data breach assessments.
The losses incurred by an organization as a result of a cybersecurity attack can be grave. In particular, if the breach causes data loss, there is a risk that that the organization will be subject to sanctions from regulatory authorities or civil claims from afflicted 3rd parties. A significant amount of time and money will also be incurred to identify the cause, remedy the damage, implement mechanisms to mitigate future risk, and to comply with regulatory investigations. Not to mention, the inflicted organization will also likely suffer reputational damage which will impact its outlook and prospects.
As such, it is vitally important for organizations to take a pro-active approach to cybersecurity by establishing security and preventive measures.
Q: What are the potential vulnerable points in a CSO’s operations that can expose the organization to cybersecurity risks?
A: Some of the potential vulnerable points in a CSO’s operations that can expose the organization to cybersecurity risks include:
- Lack of cybersecurity controls like anti-virus software;
Poor maintenance of software and hardware; and
Human error due to lack of cybersecurity awareness.
A lack of cybersecurity controls will expose your organization to data breaches and cybersecurity attacks. For instance, your organization’s operating systems should have strong anti-virus and customized firewalls set up to detect and eliminate malware threats and block suspicious traffic from infiltrating your devices and network. All devices connected to your organization’s network should also be securely configured by changing default passwords and turning off unnecessary functionalities. Moreover, as discussed further below, an organization must ensure that their WIFI is properly encrypted, or they will otherwise be at risk of malicious individuals using and compromising the security of the WIFI network.
Aside from implementing cybersecurity controls though, it is equally as important for organizations to be vigilant in maintaining their software and hardware to address defects and security vulnerabilities, as new cyber-threats are constantly emerging. Notably, this can be affected by having regular scheduled assessments of your organization’s software to ensure that they’re updated and applied to all your computer’s systems.
Last but not least, a surprising number of cybersecurity incidents are caused or contributed by human error, carelessness and a lack of cybersecurity awareness. As aforementioned, there are hackers who exploit this by engineering phishing attacks. Accordingly, organizations should regularly train and educate their staff on cybersecurity issues as part of their risk management strategy.
Q: Our organization relies on off-the-shelf web-based services for our electronic communications, websites, and document management and storage. Are there any cybersecurity risks associated with using these tools? If so what are they and what should our organization do to mitigate these risks?
A: The common cybersecurity vulnerability that your organization may find with off-the-shelf (“OTS”) tools is its lack of security.
Firstly, reliance on OTS services means that you will ultimately be at the whim of your vendor’s product development cycle. In particular, some OTS services may not include the most updated security features and are therefore more susceptible to cybersecurity attacks. It is also worth noting that OTS software is better known to hackers, again making it more vulnerable.
To mitigate these risks, organizations must ensure that they thoroughly review and understand the OTS services that they will be implementing. In particular, the organization should review the patch history and security certifications on the accuracy, usability and security of the OTS service. Further, it is advisable to run an application security software regularly to ensure that any bugs are identified and fixed.
Q: Our organization uses WIFI to access the internet, both from the office and from home. Are there any cybersecurity risks involved in using WIFI? Is there a difference between a public WIFI and private WIFI protected by password in terms of cybersecurity risks? What can be done to mitigate such risks?
A: While all WIFI networks carry a degree of risk, precautions can be taken to ensure that the risk of a data breach is minimized.
Firstly, use of public WIFI should be avoided. Most public WIFI networks are unencrypted, meaning that anything that is sent or received on your device can be intercepted, such as your instant messages, emails, and login information like passwords.
It is therefore recommended to use a private WIFI network, as it is password encrypted to prevent unauthorized access and data interception. In particular, organizations should ensure that their private in-house WIFI network is always secure and encrypted by requiring a password consisting of a unique combination of letters, numbers and symbols, and by enabling the WPA2 security protocol, which will encrypt your network’s web traffic.
Unfortunately, in the present climate of COVID-19, employees may have no choice but to work from home. One of the causes of concern that arises from such remote work arrangements is the use of unsecured WIFI networks or home WIFI networks that lack the same security measures as your organization’s WIFI network.
Accordingly, to mitigate the risks of data interception, staff should be told not to use unsecured public WIFI, and as a further layer of security, be offered and/or advised to use a robust VPN (virtual private network) to ensure encryption of all data that is being sent and received on their device. Notably, a VPN works by creating a “tunnel” for your data that is private to you, so that anyone else on the network would only be able to see an encoded stream that they have no access to.
Note however that a VPN is not 100% fool proof. If your staff uses a VPN to connect to a work server remotely through an unsecured WIFI connection, they may still be vulnerable to cybersecurity threats.
Q: Are there additional cybersecurity risks for our organization if our staff are working from home? If so, what are they and what should our organization do to mitigate these risks?
A: Aside from the risk of data interception due to the use of unsecured WIFI networks, staff working remotely from home may also be using personal devices that lack solid cybersecurity controls like strong anti-virus software and customized firewalls. As discussed above, without such security measures, there is a high risk of data breaches and cybersecurity attacks.
Alternatively, employees may have downloaded applications and/or media on their personal devices from third-party sites laden with malware that can cause data infiltration and leakage. On a more physical level, family members or roommates may also have easy access to your staff’s personal devices if it is often shared with them.
Accordingly, to minimize these risks, staff should be advised not to use their personal devices when working from home. Where possible, it would be preferable for an organization to provide staff with secured company devices. If that is not possible though, staff should be advised to install or update their security software, change their device passwords if it is known to others, and be informed of what tools and platforms that staff are allowed to access or use whilst working off-site.
Particularly with the use of videoconferencing platforms like ZOOM, organizations must ensure strict control over who is able to access these videoconferences. For instance, invitation links should only be sent to office e-mails and not via public platforms like Facebook. Further, when all the attendees have joined the video conference, the meeting should be locked to prevent other from entering.
For more examples of controls and procedures that an organization can put in place to manage the cybersecurity risks arising from remote office arrangements, please see this circular issued by the Securities and Futures Commission.
Q: Our staff uses their own personal devices such as smartphones, personal laptops and iPads for work purposes. Are there any cybersecurity concerns with respect to using such devices for work purposes and if so, what should our organization do to mitigate these risks?
A: As discussed in Question 6, personal devices like smartphones and iPads lack solid security controls and may be easily accessible by family members and roommates. Therefore, to manage and mitigate all the risks that arise from remote work arrangements, an organization should create and implement a remote working policy that will cover and provide guidance on the use of personal devices at home.
Q: Can our organization be liable in the event of a cybersecurity breach? If so, what can be the consequences?
A: Yes, under the Personal Data (Privacy) Ordinance, a data user shall comply with the Data Protection Principles that cover various aspects of “personal data”. Most notably, Data Protection Principle 4 requires data users to take all practical steps to protect personal data against unauthorized or accidental access, processing, erasure, loss, or use.
Therefore, failure to take practical steps in protecting personal data may expose the organization to enforcement actions from the Privacy Commissioner, criminal prosecution and civil claims from parties affected by the data breach, such as employees and clients of the organization.
For more information on how to comply with Data Protection Principle 4, please see this publication from the PCPD (namely pages 67-72).
Q: What should our organization do in the event of a cyber-attack?
A: Firstly, your organization must identify and assess the identity, scope and severity of the cyber-attack. For instance, has the cyber-attack has caused any loss or erasure of data? If so, your organization will need to consider notifying and working with police authorities and legal advisors to determine whether customers, employees, business partners and government agencies need to be notified of the attack.
Further, if your organization has cyber insurance, notify your insurers of the incident. Your organization should also consider reporting any criminal act to the police authorities and seek legal advice on how to mitigate your organization’s reputational risk.
For more guidance on how to handle a data breach, please see this publication issued by the PCPD.
Q: What are some practical steps our organization can take to generally to improve cybersecurity?
A: As discussed, some of the practical steps that organizations can take to improve their cybersecurity include:
– Ensuring that the in-house company WIFI is secure and encrypted;
– Installing anti-virus and anti-malware software;
– Setting up customized firewalls or other intrusion detection products;
– Establishing a regular schedule for monitoring and implementing security updates to the organization’s computer systems;
– Implement monitoring and surveillance mechanisms to detect any unauthorized access to internal networks and systems; and
– Ensuring that your staff is regularly trained and educated on cybersecurity risks to minimize human error and carelessness.
Nevertheless, despite implementing the above measures, it is still possible for cyberattacks and data breaches to occur. Therefore, to ensure the availability of such data for business continuity, organizations are advised to regularly back-up their data.