Cyber attacks are a growing concern for companies around the world. Hong Kong company directors need to understand the threat, and what steps can be taken to protect their companies against them.
Is your company at risk?
Any company that stores valuable intellectual property or business secrets, or if they handle large volumes of personal data, can be a target for data theft. Further, companies whose daily operations are dependent on IT systems, for whom e-commerce (internet online business) is an important revenue stream, or whose revenue is otherwise dependent on customers accessing their public facing websites are at risk from cyber sabotage or denial of service attacks. Cyber attackers are increasingly focusing on small to medium size enterprises who, although they hold sensitive or valuable information, are less likely to have the IT security infrastructure of larger corporations.
What is the threat?
Data theft and sabotage are common threats, however, cyber criminals are increasingly targeting companies with cyber ransom attacks in which they penetrate a company’s IT infrastructure, lock down key systems and demand a ransom to release them back to normal operation. Cyber criminals may secretly take over control of computers and use them to launch attacks on other computers or networks. And sometimes attackers’ objectives are simply to embarrass the target company. Cyber attack remediation can be quite costly and reputational damage can be severe. The loss or exposure of sensitive information can be particularly damaging for companies which invest heavily in development and for whom knowledge is their principal asset. Cyber attacks can be perpetrated by hobbyists, hacktivists with a political agenda, or they can be organized and funded by nation states with an interest in stealing sensitive data, intellectual property or spying on a particular organization. And increasingly, organized crime are realizing the money making possibilities of cyber crime through computer fraud, data theft and cyber ransom requests. Emboldening these attackers is the relative anonymity and safety that the internet provides. Even if an attacker can be identified, if he is located in a foreign country it may be very difficult to seek redress against him. Denial of service attacks can take down a public facing website without needing to compromise network security, but to access the information and systems inside a network, hackers need to breach the IT estate. “Phishing” emails designed to trick employees – often senior officers – of a company into clicking on a malicious file or weblink are a common way to infect target company computers. The infected computer then becomes a launching point for wider incursions into the corporate network or other networks. Further, as more and more corporate employees store data on their mobile devices, cyber attacks are increasingly targeting these devices to access that data or gain entry into the wider network.
What are your duties as a director?
The new Companies Ordinance (Cap. 622) codifies a director’s long established duty of reasonable care, skill and diligence. And a director’s performance of this duty is measured not against his or her own knowledge, skill and experience, but against the knowledge, skill and experience that one would reasonably expect a Hong Kong company director to have. A director’s failure to properly assess the risk of cyber attack and take precautions against it could be viewed as a failure to meet this standard and could expose the director to civil liability . The Personal Data (Privacy) Ordinance (Cap. 486) requires companies holding customer or employee personal data to take all practical steps to ensure that such data is protected against unauthorized or accidental access, processing, erasure, loss or other use. Companies failing to implement these protective measures may be exposed to the risk of investigation and the issuance of an Enforcement Notice by the Privacy Commissioner, or they could face a civil claim by affected data subjects. Directors should also be aware of industry-specific guidelines on cyber security, such as the Hong Kong Monetary Authority’s guidelines on Strengthening Security Controls for Internet Banking Services and Customer Data Protection (2009). Further, if a company is attacked, directors should consider whether their company has a duty to disclose the attack. In April 2012, the United States Securities and Exchange Commission (“SEC”) clarified that future filings of listed companies in the United States must disclose if a company has experienced a cyber attack and/or security breach. In Hong Kong, the Securities and Futures (Amendment) Ordinance of 2012 (“SFO”) requires that listed companies disclose “inside information”, which includes information about a corporation that is “not generally known to persons who are accustomed or would be likely to deal in the listed securities of the corporation but would if generally known to them be likely to materially affect the price of listed securities.” A person in breach of this disclosure requirement is liable to compensate by way of damages any other person for any pecuniary loss they have sustained as a result of the breach. The Securities and Futures Commission in Hong Kong has not issued guidance regarding cyber attacks of the sort issued by the SEC, but it is likely that a significant attack would qualify as inside information under the SFO.
What common mistakes do companies make?
1. Passive Approach / Complacency Many companies stick their heads in the sand hoping they will never be attacked. Unfortunately, with the increase in cyber attacks, it is no longer a question of “if” a company will be attacked, but rather “when”. Companies need to take pro-active steps before they are attacked to assess the risk and implement an IT security strategy. Avoid being the “low lying fruit”. A good start is to make a detailed security assessment of the company’s IT estate, to assess the company’s vulnerabilities and determine whether the company may already have been attacked. Many companies only learn of an attack months or years after it has occurred, if they ever find out at all. Companies should take an inventory of their valuable and critical information assets and consider what efforts they are willing to make to protect these assets. Commissioning a third party assessment of a company’s IT security and potential exposure can be very useful. An essential part of such audits will be to understand what servers are operating within the corporate network, where they are located and what data they contain. Security consultancies can also be engaged to perform penetration testing to determine the strength of a company’s IT defences, and whether employees are following IT policies. 2. Lack of Engagement by Management Companies with any valuable information assets or Internet presence need to include cyber security as part of their business models. Too many companies outsource the function to their IT departments, put it in a drawer and forget about it. Corporate boards include experts in finance, sales, marketing, compliance, etc., but there tends to be fewer people with experience and understanding of IT issues and the potential exposures. Cyber security needs to be regularly discussed at the highest levels. Management needs to receive and review frequent and adequate cyber risk reports. Managing cyber risk is a business critical activity and cannot be relegated to an “IT issue”. Boards should consider giving one director or high level officer ultimate responsibility for cyber security, and also the authority to take the steps necessary to ensure it. 3. Over-reliance on Technology Reliance on technological security measures such as antivirus software is not enough. Companies need to tackle cyber security through comprehensive organization-wide security measures and policies. Robust technical measures need to be combined with a well structured control environment. Companies should make sure updated Internet and device usage policies are in place and clearly communicated, and also make sure that employees are following them. One infected computer can serve as the gateway for wider incursions into a network and the unfortunate reality is, regardless of what technical security measures are in place, employees remain an ever present weakness in a company’s IT estate. 4. Failure to Stay on Top of Threats Security threats are constantly changing and new ones are emerging daily. 21st Century Directors need to keep abreast of the changing threat landscape by monitoring the great volume of publically available information on emerging cyber risks. Companies in some industries even share information to ensure better overall preparedness. Companies should also regularly re-assess their Internet and device usage policies.
What other Steps can a Company take?
- Mobile devices – The increased use of mobile devices greatly increases a company’s threat surface. Companies should keep detailed logs of all devices in use within the organisation to better understand potential points of vulnerability. Companies should also implement end-point security measures and policies to deter and prevent employees from connecting personal devices into work computers.
- Monitoring – Many cyber attacks go undetected because companies do not pro-actively monitor their network logs. Sophisticated attackers can often conceal their activities in a breached network, but most attacks are relatively easily detected through careful review of network activity logs.
- Plan for resilience – Companies should take steps not just to prevent security breaches, but to minimize the impact of these breaches and make it easier for a company to recover from them. Minimizing employee access privileges within a corporate network can make it harder for an attacker to access sensitive data and other areas of the network if an employee’s computer or corporate account is compromised. The use of physical authenticators (such as passcards or USB keys) can also hinder unwelcome incursions into the corporate network.
A company’s network architecture can also be compartmentalized to prevent a breach of one part of the network from compromising other parts of the network. Further, encryption should be used as much as possible on both devices and data. Encryption makes data harder to access, but importantly also makes it harder to search. An attacker cannot steal what he cannot find.
- Be responsive – Once an attack is detected, swift response is essential. Companies should have clear response plans in place detailing who is responsible and what actions they should take in response to varying forms of attack.
- Hardware management – Companies should consider the physical safety of data centers housing their servers and data, but should also ensure that devices are adequately wiped or destroyed when they are retired. If external service providers are employed for either of these purposes they should use the proper security precautions. Further, devices in use within a company should only be purchased from reputable vendors to avoid supply chain corruption problems.
- Cyber insurance – Insurance companies have developed cyber risk insurance packages to mitigate the losses suffered and costs arising from cyber attacks. Insurance can play a key part in a company’s cyber security plan.
Attacks against smartphones have increased dramatically over the past year. Both the volume of malware and number of attack strategies used have increased dramatically. This trend, paired with the increased use of personal devices in the workplace, has greatly expanded the threat surface of the average company. “Spear-phishing” attacks against high level officers and board members are also becoming more common. Attackers research the target and send tailored emails designed to trick him or her into clicking on a malicious link or attachment. Senior officers are preferred targets because of their greater access privileges within the corporate network, however, even low level employees clicking on the wrong link or attachment can put the corporate network at risk. Companies around the world are realizing they need to pay more attention, and dedicate more resources to cyber security. The key lesson for directors of Hong Kong companies is that they should be pro-active in dealing with the threat of cyber attack – not only to meet their duties as directors, but also to ensure that their companies do not become the “low lying fruit”. Cyber security is a key part of running today’s companies and should be embraced organisation-wide – from the mailroom all the way to the C-suite. * This article was initially published in The 21st Century Director, the official magazine of HKIoD (The Hong Kong Institute of Directors)