Snowden's message was 'Big Brother and everyone else is watching', says security expert
Outspoken security expert Michael Gazeley has long said many businesses in Hong Kong are ill-prepared against internet threats.
Gazeley, managing director at security services provider Network Box, famously said after the cyberspying revelations made by US whistle-blower Edward Snowden last year: “Major companies in Hong Kong spend more on Christmas decorations than on cybersecurity.”
His latest clarion call about the need for broader vigilance against threats to network security followed the recent massive cyberattacks that hit large retailers Target and Neiman Marcus in the United States.
Last week, Target said the names, phone numbers, and mailing addresses of up to 110 million customers may have been stolen in a cyberattack last month.
The company initially reported last month that the debit and credit card data of 40 million customers were stolen during the holiday shopping season.
Customer credit card data from luxury department store Neiman Marcus and at least three other well-known US retailers were also compromised at the same time by a big cybercrime syndicate in Eastern Europe, a Reuters report said.
“The biggest retail credit card breach in history has just happened,” Gazeley told the South China Morning Post.
He said that what the Snowden revelations about spying and data harvesting should have taught businesses is that “Big Brother and everyone else is watching”.
“Yet the vast majority of information technology managers, and even well known cybersecurity professionals, seem to be almost pathologically fixated on the last attack rather than the next attack,” he said.
“Just as a bodyguard in the physical world needs to be able to protect clients from all sorts of harm, such as being shot or hit by a car, cybersecurity systems must also deal with a wide spectrum of threats.”
The Hong Kong Computer Emergency Response Team Co-ordination Centre (HKCERT), the government-backed information security watchdog, has confirmed that threats have been increasing.
Leung Siu-cheung, a senior consultant at HKCERT, said: “The security landscape has changed significantly in the past decade. For instance, the number of malicious software has increased from about 1,000 in 1991 to millions in 2012, while other undetected malware have become tools used by cyber criminals.”
Hong Kong-based Network Box, which provides “security appliances” and managed services that cover more than 1,600 corporate computer networks worldwide, released about 6.86 million security updates online to each of its clients last year.
“That is a very significant 53 per cent increase from the year before, reflecting the enormous number of new threats,” Gazeley said.
Nicholas & Bears, an international brand of children’s clothing that runs an online shopping site and more than 60 shops across Asia, acknowledged that the retail sector has become more security-conscious after the Snowden revelations in June last year.
“I guess we all knew people were out there hacking and monitoring us on the internet. Snowden made it all a lot more real,” Elaine Cheung, chief executive at Nicholas & Bears, a client of Network Box.
“In the retail industry, we obviously have to deal with customer payments and client data, so every story in the press about hacking, credit card information being stolen, or point-of-sale systems being compromised worries me a great deal,” Cheung said.
She said: “We really don’t have the time or knowledge to deal with network security, so we leave it to the experts. I would rather spend my time concentrating on my designs and operations.”
Consultancy Frost & Sullivan said in a report that more companies in the Asia-Pacific region are outsourcing network infrastructure security because they lack the resources to handle complex and multiple cyberthreats.
It forecast the managed security services market in the region would reach US$5.34 billion in 2019, from US$1.66 billion in 2012, as more companies “adopt security services as an add-on to their existing security setup”.
Gazeley said there has been some improvement in cybersecurity by businesses in Hong Kong.
“But these are usually the large-sized companies, and they are still in the minority. About 98 per cent of businesses in Hong Kong are made up of small and medium-sized enterprises. It is this vast majority that remain most at risk today,” he said.