Get more with myNEWS
A personalised news feed of stories that matter to you
Learn more
A low awareness of how to monitor for threats and an outdated data protection law could make Hong Kong organisations easy targets for hackers, according to cybersecurity consultancy Kroll. Photo: Shutterstock

Hong Kong organisations are easy targets for hackers, more cyberattacks expected this year, consultancy Kroll finds

  • Financially motivated cyberattacks are on the rise after declining following Russia’s invasion of Ukraine, cybersecurity consultancy Kroll said
  • Hong Kong and the rest of Asia-Pacific have historically lower cybersecurity, making local organisations prime targets

Hong Kong organisations could be easy targets amid an uptick in cyberattacks expected in the second half of the year, according to cybersecurity consultancy Kroll, which blamed low awareness of how to monitor for threats and the city’s outdated data protection law.

Financially motivated cyberattacks have been on the rise in recent weeks, with ransomware and email attacks being the most common types, said Paul Jackson, regional managing director for Kroll’s Cyber Risk practice in Asia-Pacific (APAC).

“Hong Kong and the rest of APAC will be targeted, because historically we’ve had a lower maturity in cybersecurity and the bad guys are always looking for easier targets,” said Jackson, a two-decade veteran of the Hong Kong Police Force who left the force in 2010.

China’s foreign listing rules that mandate data reviews apply to Hong Kong

Jackson served multiple roles with the Hong Kong police, including the Chief Inspector and Head of Computer Forensics.

The uptick in cyberattacks came after a relative lull, as attacks declined in part because of Russia’s invasion of Ukraine, according to Jackson. A significant portion of financially motivated organised cybercrime originated in the region, he said.

Kroll has also seen a return of attacks on healthcare organisations, which Jackson said had fallen during the pandemic possibly because criminals chose not to target them, as they were overloaded by the health crisis.

In the second quarter, cyberattacks on healthcare organisation increased 90 per cent globally from the previous quarter, according to Kroll’s Threat Landscape report published last week.

The previous drop in cyberattacks should not “put a false sense of security in the minds of leaders in Asia”, Jackson said.

“Unfortunately, Hong Kong still has a very low awareness of how to effectively monitor [cyber threats], and I would say a very small percentage of companies here are doing a good job of monitoring,” he said. “And we haven’t been helped by the fact that we have outdated data protection laws.”


Why China is tightening control over cybersecurity

Why China is tightening control over cybersecurity
Hong Kong was once considered a leader in data protection, with a data law dating back to 1996. However, the Personal Data (Privacy) Ordinance has barely been updated since. With the introduction of the European Union’s General Data Protection Regulation, which took effect in 2018, and last year’s Personal Information Protection Law in mainland China, Hong Kong’s law has started to look outdated by comparison.

Hong Kong does not require user consent for the collection and processing of personal data, and there are no legal obligations for reporting data breaches. The local government proposed a new cybersecurity law in May, which is expected to improve the city’s resilience against cyberattacks.

“These are welcome changes, the enhancements to the laws,” Jackson said. “It’s been a long time since the law was changed, and it’s a good move for Hong Kong as a business centre.”

According to the latest report from the Hong Kong Computer Emergency Response Team Coordination Centre, an agency tracking cyberattacks in the city, cyberspace threat detections increased more than 20 per cent in the first four months in 2022 from the same period last year.