Published on: 17 November 2018 by Michael Lamb
On November 16th 2018, a report by the Hong Kong Free Press stated that banned pro-independence party leader, Andy Chan, and his lawyers were the target of a sophisticated cyber attack effort; reportedly originating from mainland china according to IP logs.
While we may not agree with Mr. Chan’s stance on Hong Kong politics, the fact that his lawyers were being targeted over instant messaging software and through spear-phishing attempts on their email should be of great concern to the entire business community in Hong Kong.
The last time CCW Global looked at Cyber Crime in Hong Kong was in May 2017.
Since that last article (which discussed the WannaCrypt ransomware event), and our piece on the Hong Kong-Macau-Zhuhai bridge hack in the same month, a lot has changed within the Hong Kong digital ecosystem, and not necessarily for the better.
According to figures from HKcert.org, a cyber coordination team lead by the Hong Kong Productivity Council, since Q3 2017 cyber crime events are up 211% percent across the board. While Phishing events have been decreasing, BotNet, Malware, and Defacement attacks are up, drastically.
Cyber events are up in 2018.
Phising and Malware are leading issues.
Unfortunately for Hong Kong, China is currently responsible for a large portion of the world’s cyber-crime (the other hotbed being Eastern Europe and Russia). Because of our geographical proximity to the mainland and our relative wealth as compared to the rest of the country we are a fairly easy target.
This is especially true when attackers are motivated and persistent, as in the case of Mr. Chan’s lawyers who are employed at Law Firm Daly & Associates. Daly & Associates, formerly Barnes & Daly, is a specialized Human Rights and refugee practice, and would be no stranger to being on the receiving end of a motivated digital attacker. As such, the breach (or potential breach) should be foremost in the minds of businesses as we end into the end of the year.
While overall Hong Kong crime rates have dropped significantly in the last 12 months, and now stand at their lowest levels since 1977, the number of scams, hack attempts (both email and on messaging apps), and outright fraud have increased.
From emails purporting to be from the CEO requesting an emergency wire transfer, through to more sophisticated attacked employing the latest in technology, the sheer range of possible attack vectors means that it is almost impossible for a company to protect against every possible cyber event.
While this may seem abstract and extremely unlikely of actually happening, the reality is that you are virtually guaranteed to experience some form of malicious cyber-attack/event as an individual with no specific targeting; being a recognized or successful business just compounds that risk.
Don’t believe us?
The Symantec 2017 Cyber Security report published the following numbers:
Of the individuals who experienced a cyber-crime, the most common forms of incidents were:
Globally, consumers lost approximately US$ 172 billion in 2017 – or US$ 142 per person.
How does this relate to business you might say?
Well, if the almost endless Cyber Events which have happened in Hong Kong do not convince you then it might be interesting to explore the common traits shared by victims of cyber-crime:
One of the most important traits shared by victims of cyber crime was their overconfidence in existing Cyber security systems; despite emphasizing the importance of such systems more than non-victims. This contradiction happens when victims act contrary to their beliefs through basic errors.
One of the major issues facing us in the modern world is the abundance of ways to access data and information – from personal computers through to tablets and smart phones. However, consumers who adopt the latest technology tend to be the most likely to suffer from cyber-crime. Over 37% of cyber crime victims own more than one computing system, and are more than twice as likely to have a connected home (smart home) device.
The prevalence of new security systems (such as fingerprinting, facial recognition, pattern matching, voice ID, personal VPN, and two factor authorization) mean extremely little when the fundamentals of digital security are ignored. 20% of cyber-crime victims globally use the same password for all accounts and devices! And 37% of these individuals have stated that they share their passwords with others.
From ensuring that a Wi-Fi connection is secured, through to not clicking email links, simple and basic errors are one of the leading causes of cyber-crime.
From Baby Boomers to Millennials, every online age group worldwide falls into the same traps again and again when it comes to cyber security.
And while Millennials will adopt the latest tech trends, Baby Boomers will write their passwords on post-it notes by their desks for anyone to read! Its not just a question of technology, there is also a massive real-world impact towards securing digital property.
A majority of consumers believe that cyber-crime is, to a point, acceptable. To the extent that roughly 15% of consumers globally think that it is fine to access someone else’s financial accounts without permission.
This disconnect between real world impacts and the activities and behaviors of a person online is one of the key factors in leading to successful cyber events. When coupled with all the other traits listed above suffering from, and being the victim of a cyber attack becomes inevitable.
At CCW Global we understand full well that not all businesses are Multi-National Corporations with enviable budgets for things like insurance and IT infrastructure. We also understand that despite the threat of cyber crime and attacks it is very difficult to completely face the reality of a changing business eco-system.
We’re not saying that because the lawyers representing a banned political party were the victims of a cyber attack that your company will also be a target. But that event is just one single piece of evidence in a much larger picture.
Leading advisory firm Deloitte posted an advisory on Cyber Crime in the wake of the Travel Agency hack, and in August of 2018 the Hong Kong Department of Health was hit by ransomware and lost 1.5 million patient records! This type of risk only really came into serious consideration in the last 10 years, but the number and scope of attacks is growing, this is undeniable.
Because of the nature of cyber crime, being opportunistic and carried out from afar, even organizations which have invested in security (like the Health Department) are increasingly becoming victims of attacks. This does not bode well from the majority of SME’s in Hong Kong, where the wherewithal to institute comprehensive and stringent IT security protocols may not be available.
But even then, it really doesn’t matter! As we’ve seen above, its virtually impossible to prevent cyber-crime; the best we can do is manage the aftermath and its impact on our business.
The VTech Hack, The BitFinEx Hack, The Coinrail Hack, The Travel Agency Hack, and more… These are not standalone incidents, but part of a larger trend. And even if the Bloomberg report on microchips implanted on devices isn’t true, that possibility is not too far off in the future.
With the fact that individuals who were more confident in their cyber security, the fact that multiple devices are increasingly being used to conduct business, and that the workforce is increasingly becoming diversified from a demographic’s perspective, all businesses in Hong Kong (no matter their investment in cyber security) are at risk of suffering from a cyber event.
In an ideal world we would be able to prevent cyber attacks with 100% certainty, but real life doesn’t work like that. And while we may be confident that we’ve done everything possible to lower our company’s as we’ve seen from the research that is often a key contributor to actually being a victim of a cyber-attack.
Taking steps to limit your organization’s exposure in a worst-case scenario, however, is possible. Cyber Security Incident and Response insurance plans do exist, and are becoming more competitive each year. While Cyber Insurance will not prevent a cyber-attack, just like fire insurance doesn’t prevent a fire or car insurance doesn’t prevent an accident, it is a useful tool in the risk management profile of any modern organization in Hong Kong.
If you would like to schedule a free, no-risk no-obligation consolation with one of our expert insurance brokers to discuss your company’s Cyber Insurance needs, or learn more about the extensive Cyber Insurance options offered by CCW Global in Hong Kong please Contact Us Now.