Hong Kong organisations could be easy targets amid an uptick in cyberattacks expected in the second half of the year, according to cybersecurity consultancy Kroll, which blamed low awareness of how to monitor for threats and the city’s outdated data protection law.

Financially motivated cyberattacks have been on the rise in recent weeks, with ransomware and email attacks being the most common types, said Paul Jackson, regional managing director for Kroll’s Cyber Risk practice in Asia-Pacific (APAC).

“Hong Kong and the rest of APAC will be targeted, because historically we’ve had a lower maturity in cybersecurity and the bad guys are always looking for easier targets,” said Jackson, a two-decade veteran of the Hong Kong Police Force who left the force in 2010.

Jackson served multiple roles with the Hong Kong police, including the Chief Inspector and Head of Computer Forensics.

The uptick in cyberattacks came after a relative lull, as attacks declined in part because of Russia’s invasion of Ukraine, according to Jackson. A significant portion of financially motivated organised cybercrime originated in the region, he said.

Kroll has also seen a return of attacks on healthcare organisations, which Jackson said had fallen during the pandemic possibly because criminals chose not to target them, as they were overloaded by the health crisis.

In the second quarter, cyberattacks on healthcare organisation increased 90% globally from the previous quarter, according to Kroll’s Threat Landscape report published last week.

The previous drop in cyberattacks should not “put a false sense of security in the minds of leaders in Asia”, Jackson said.

“Unfortunately, Hong Kong still has a very low awareness of how to effectively monitor (cyber threats), and I would say a very small percentage of companies here are doing a good job of monitoring,” he said. “And we haven’t been helped by the fact that we have outdated data protection laws.”

Hong Kong was once considered a leader in data protection, with a data law dating back to 1996. However, the Personal Data (Privacy) Ordinance has barely been updated since. With the introduction of the European Union’s General Data Protection Regulation, which took effect in 2018, and last year’s Personal Information Protection Law in mainland China, Hong Kong’s law has started to look outdated by comparison.

Hong Kong does not require user consent for the collection and processing of personal data, and there are no legal obligations for reporting data breaches. The local government proposed a new cybersecurity law in May, which is expected to improve the city’s resilience against cyberattacks.

“These are welcome changes, the enhancements to the laws,” Jackson said. “It’s been a long time since the law was changed, and it’s a good move for Hong Kong as a business centre.”

According to the latest report from the Hong Kong Computer Emergency Response Team Coordination Centre, an agency tracking cyberattacks in the city, cyberspace threat detections increased more than 20% in the first four months in 2022 from the same period last year. – South China Morning Post