Last month, the world watched helplessly during a cyberattack when the WannaCry ransomware exposed weaknesses in government institutions and corporate organisations alike. Major security vulnerabilities were exposed in over 230,000 systems in over 150 countries within 24 hours, while data from organisations such as Britain’s NHS and Spanish tele-communications giant Telefonica was held hostage via encryption and only returned when a Bitcoin ransom was paid. It’s an issue that Hong Kong’s auditing industry is all too aware of. “WannaCry showed the world once again just how unprepared we are to defend against cyberattacks,” says BDO’s director and head of risk advisory Ricky Cheng. With new cybersecurity threats emerging constantly, it’s worrying, Cheng says, that “some businesses that have not adopted basic practices in information security, leaving them exposed to both new and legacy threats”. Jason Yau, partner in technology and management consulting at RSM, confirms that this has been an area they’ve been increasingly alert to as well. “RSM has invested significantly in this service area over the past year, as we have seen a significant increase in demand for IT and cybersecurity review services. In light of the recent high-profile ransomware attack, it’s crucial that companies not only respond but also prevent similar situations. It’s something that is occurring slower than many would like. “Major economies around the world have started or already enacted relevant cybersecurity laws or regulations to curb the potentially catastrophic damages that can be caused by cyberattacks on major infrastructure industries,” Yau says. However, a lack of substantial policy and planning for these types of events, and a general lack of awareness over potential risk exposure, often leads to authorised users failing to adhere to security policies. Take IoT (internet of things) devices for example, which are increasingly common in not only homes but also businesses. “Unlike traditional computer terminals, where security software can be installed, a refrigerator, a window shade or an electric extension cord with remote control capabilities connected through a home network can be easily penetrated with malicious intent,” Yau warns. “Although the electronic industries are catching up with the security implementation on IoT devices, the potential risk exposure associated with these new products is currently outpacing the related security measures and solutions.” WannaCry showed the world once again just how unprepared we are to defend against cyberattacks Ricky Cheng, director and head of risk advisory, BDO The practice of bring your own device (BYOD) is another area that is seen as a key weakness, Cheng notes. “Every one of these devices is a potential entry point for cybercriminals.” While businesses may recognise cybersecurity is a priority, there is still a lingering lack of commitment and underlying understanding of the subject. As recent events have shown, many companies still lag behind in dealing with emerging technology risks – particularly small- and medium-sized enterprises (SMEs), says Patrick Lo, partner in risk advisory at RSM. “SMEs have limited resources and, with the fast pace of development, they are always concerned with the impact of their investments in technology on the companies’ profitability. This, very often, leads to the SME not selecting the appropriate software for cost reasons, or significant delay in responding to the emergence of a new security risk.” In 2016, the Hong Kong Exchanges and Clearing (HKEX) raised the requirement to disclose companies’ risk management systems in their Corporate Governance Report and set up an internal control function as best practice. If companies do not comply with these provisions they must explain why in their Corporate Governance Report. However, Cheng says, “disclosure contents in general are weak”, with many companies’ explanation for non-compliance due to the fact that they are small-size business. In the event of a crisis stemming from something like a cyberattack, a comprehensive contingency plan is crucial for limiting damage. “Some of our recommendations have included having an IT steering committee, maintaining an up-to-date day-of-crisis contingency plan, who to talk to and their relevant contact information and listing the day-of-crisis procedures to assess damage and follow up steps to recover or restore information,” Cheng says. “A good contingency plan will make sure day-to-day operations can be restored to a normal level in the quickest manner. It’s fair to say, too, that there’s no one-size-fits-all solution. The decision on the scale of implementation and specific components covered by these plans should be driven by critical business processes and assets that are unique to each organisation. “With efforts from Hong Kong regulators and information security professionals, we believe organisations’ attitudes towards information security will continue to change and as a result narrowing the gap in cyber maturity level when compared to countries such as Japan, Singapore,” Cheng says.