Editorial | More must be done in Hong Kong’s cybercrime campaign

Review by Hong Kong police reveals how critical infrastructure operators are vulnerable to online attacks

Far too many companies in Hong Kong have left themselves vulnerable to cyberattacks, according to a new police review that should warn all operators to immediately step up their game. Regular security checks are required by law for private firms with infrastructure deemed “critical” for the normal functioning of society. The rules in place since March apply to an undisclosed list of players in sectors such as energy, information technology, banking, communications, maritime, healthcare and transport.

Police recently found that about 5 per cent of publicly accessible technology assets owned by such operators were vulnerable to online attacks. A first-of-its-kind review turned up loopholes in 4,500 out of 90,000 pieces of technology assets examined. The force also revealed that it had received over 440,000 pieces of intelligence on cyberthreats targeting the city last year. Hacking cases have been rising, with losses surging over the past two years. Greater diligence is required.

Regulated firms have more than just a fear of hackers to prompt better security. Under the law, they may be fined up to HK$5 million for failing to keep their systems up to date. The companies are also now obliged to notify authorities of any breach within 12 hours.