Chamber in Review
Cyber Risk for SMEs
Cyber Risk for SMEs<br/>中小企網絡風險

Cyberattacks are a major risk for all companies in today’s business environment, particularly SMEs. 

According to the Hong Kong SME Cyber Preparedness Report 2019, from insurance company Chubb, 71% of surveyed SMEs in the city had experienced cyber incidents in the previous year.

At a Chamber roundtable in December Cherrie Wong, Cyber and Crime Senior Underwriter at Chubb, shared the findings of the report and discussed some of the steps that companies can take to protect their businesses.

She said that in the past three years, Chubb has devoted more resources to promote cyber awareness in Hong Kong. 

“More and more companies are starting to consider cybersecurity issues as part of their risk management solution,” Wong said. “However, we still see a lot of companies that are not aware of cyber risk.”

Wong also addressed some of the misconceptions, including the perception that big companies and technology firms are most at risk. In fact, any company that uses technology is vulnerable.

“SMEs are using more technology to make their businesses more competitive, but are they prepared for the increased cybersecurity risk?” she said.

The survey found that the key cyber issues that Hong Kong’s SMEs had suffered in the previous year were data loss or business interruption due to system malfunction or other technical fault, and human error, which accounted for 24% of incidents. 

“Employees play a very important role; they are usually the weakest link in your cyber risk management,” Wong explained. 

Some respondents to the survey were concerned that their employees did not understand cyber risk, or the importance of data privacy. Employees clicking on malicious links or using weak passwords are some of the ways that hackers have been able to gain access to companies’ data. At the same time, employees need training and guidance on cyber security issues.

In the past few years there have been a number of high profile incidents in Hong Kong, including attacks on Cathay Pacific and the Education Bureau. Globally, there have even been attacks on nations, with thousands of government and company websites in Ukraine and Georgia coming under attack. 

But it is not just big businesses. SMEs are particularly vulnerable to attack, because they may not understand the risks, and may not have the manpower or resources to provide the training needed.

Wong also warned SMEs that if they do business outside of Hong Kong they need to be aware of the changing regulations in the jurisdictions where they operate. For example, California has just enacted a new Internet of Things security law, while Australia is increasing data breach penalties.

Wong then explained the role of cyber insurance. Thirty years ago, many businesses’ key assets were tangible items like machinery; today, data is crucial.

“Cyber insurance is not only for companies developing technology. It is for all companies using technology in their business.”

Different types of cyber insurance are available, Wong explained. These include services such as mitigating the impact of an attack, helping to recover data, and incident response to coordinate the services required after an attack, including extortion negotiation. On this subject, Wong said that they do not recommend that companies pay ransom demands, as there is no guarantee that the criminals will fulfil their part of the bargain. 

Companies should take a holistic approach to protecting their data, including employee training and backing up data. 

“Even if you have cyber insurance you still need to enhance your cyber security,” she said. “Cyber insurance is only part of your cyber security plan.”

Wong noted that many insurance claims come from companies that have a lot of personal data, including SMEs and non-profit organizations.  

“We see a lot of claims where clients do not back up their data, and do not encrypt their data. This is very dangerous,” Wong said. “Companies that do not have back up are not able to recover everything.”