Cyber security should garner special attention at the corporate board level, experts say

Hacking attacks directed at companies in Hong Kong are more frequent than the global average

PUBLISHED : Monday, 27 June, 2016, 6:29pm
UPDATED : Monday, 27 June, 2016, 6:29pm

Company board members in Hong Kong need to be more engaged in cyber security issues and firms must not neglect the topic in today’s connected world, according to security experts.

Edward Stroz, executive chairman of digital investigations and risk management firm Stroz Friedberg said board members in the city should ask executives what the greatest cyber threats to a company are, and what is being done to address these issues.

“For the weight class that Hong Kong is in and the power that it punches, it has to make sure that the boards of its institutions are performing at that level, meeting the standard that goes with being an international financial location,” Stroz said.

Cyber security firm FireEye found 43 per cent of its Hong Kong clients suffered an advanced attack by hacker groups in the second half of last year, against the global average of 15 per cent, the company’s worldwide survey of 4,000 clients found.

One of the largest known recent hacks in Hong Kong involved childrens’ technology maker Vtech, which in November announced a large scale hack of customers’ accounts including profiles of 200,000 children. In spite of these risks, companies are still complacent on this issue, according to Paul Haswell, a partner at law firm Pinsent Masons.

Haswell said local companies must conduct cyber security audits and educate staff on risks, adding that requirements to report breaches or heavy fines could push Hong Kong companies to take the issue more seriously.

“There needs to be clearer penalties for breach. In the EU they’re proposing fines that can be 4 per cent of your global turnover. That’s a proper fine,” Haswell said. “That’s a lot worse than say HK$100,000 which really isn’t going to bother most financial organisations.”

Another risk to company data comes from insider threats, such as “bad leavers”, or employees who plan to leave the company taking valuable data and staff with them, Stroz said.

One means to protect company secrets is to use psychology and behavioural science to monitor staff, former FBI agent explained, something the company has applied to its work since it was established.

Last year, Stroz Friedberg released its software SCOUT that performs psycholinguistic analysis of language, as a product that can be installed by organisations to flag a employee’s change in use of language in their written communications.

The software, which was developed for use by the company in its investigations, measures 60 attributes through language to monitor for psychological distance, a sense of victimisation and aspects including the ratio of the use of “I” to the use of “me”.

“Technical monitoring is one thing, monitoring the computers, the networks,” said Paul Jackson, managing director at Stroz Friedberg in Hong Kong, said. “But at what stage do you start to look at people and who might be presenting that risk to your organisation?”

SCOUT can also tell if an employee is having problems in their personal lives, allowing companies to be more caring, Jackson said.