Small and Medium Enterprises (SMEs) in Hong Kong SAR have a low level of confidence in their employees’ ability to manage cyber risk, according to a survey by Chubb.
The second, annual Chubb SME Cyber Preparedness Report 2019 – Ignorance is Risk – found that three-quarters (76%) of SMEs surveyed experienced a cyber incident in the past 12 months.
Despite the high number of cyber incidents, half (50%) of Hong Kong SME leaders do not think their employees are aware of all the cyber threats they face.
Forty-one percent of SME leaders say there is no consistent understanding across their organization of what cyber risk means. Moreover, 38% of SME leaders are not confident that all their employees who have access to sensitive data are fully aware of their data privacy responsibilities.
“Building awareness among employees is more important than ever. Employees are both the biggest risk and greatest opportunity for SMEs looking to improve their cyber defences,” says Andrew Taylor, cyber underwriting manager, Chubb Asia Pacific.
“Being the organization’s first line of defence, they can play a critical role in detecting and preventing breaches. Not investing in upskilling employees on cyber risk is a missed opportunity,” he notes.
The Customer Comes Last
In the wake of a major cyber incident, SMEs are most concerned about the effects on their relationships with customers (51%), but less so than in 2018 (64%). This is followed by worries around revenue and sales (49%), company profits (46%) and market reputation (46%).
Despite these concerns, after a cyber incident, more than a third (34%) of SMEs reviewed their security protection but took no future action, with only 11% making any attempt to recover breached data files.
“This apparent lack of concern is puzzling,” adds Taylor. “It points to the over-confidence we found among SMEs in overcoming cyberattacks. However, this leaves the door wide open for malicious attacks, future breaches and inadequate incident response.”
The Need for Speed
Positively, SMEs in Hong Kong were faster to respond to cyber incidents compared with a year ago, with 71% of businesses resuming operations within 12 hours following a cyber incident. This is a significant increase from 62% in 2018.
More than two-thirds (69%) of SMEs communicated to affected stakeholders within 72 hours, compared with 62% in 2018.
Although the study reveals that Hong Kong businesses have improved their incident response time, more than half (54%) still do not have a proper data breach response plan in place.
Insurers Have a Role to Play
While SMEs in Hong Kong are becoming more aware of cyber risks, the report shows that proactive protection measures remain largely inadequate. Nearly a third (32%) of SMEs in Hong Kong did not purchase cyber risk insurance before or after experiencing a cyber breach. Close to half (45%) do not fully understand the insurance solutions available to them.
“With SMEs making up 98% of all businesses in Hong Kong, the number of businesses covered by cyber insurance is worryingly low,” says Stanley Wong, president, Chubb Hong Kong SAR, Taiwan and Macau SAR.
“There is a misconception that smaller businesses face less cyber risk than larger companies, when in fact the opposite is true. A large cyber incident could spell the end of a small business and leave them open to significant third-party liabilities. With three quarters of SMEs experiencing a cyber incident in the past 12 months, there is an urgent need for all businesses to protect themselves,” he adds.