Deloitte/ACCA survey shows lukewarm commitment to information security by Mainland and Hong Kong companies

Published: 13 September 2016

Commitment to information security is only lukewarm among companies in Mainland China and Hong Kong, with nearly one-fourth of respondents’ organisations having no budget in this priority area in the next three years. There were a staggering 40 percent of respondents (most of them are CFOs or CIOs) who have no knowledge whether their organisations have earmarked a budget for information security, according to the joint report by Deloitte China and ACCA (the Association of Chartered Certified Accountants).

In response to digitalisation, companies are changing their business models and processes by establishing multiple touch points for stakeholders to interact with them through internet and social media. These new channels have enabled companies to better engage with their customers, but also exposed them to cyber attacks – which can cause both tangible and intangible damages to their businesses. With that in mind, Deloitte China and ACCA decided to conduct a survey to understand what cyber attacks companies had experienced in this marketplace and how they were reacting to these threats. The survey covered 300 individuals in Mainland China and Hong Kong – most of them are CFOs and CIOs from a wide spectrum of industries.

“Companies are willing to invest in new technology, which have clear benefits for business growth. When it comes to risk prevention, however, it may not be something that can be easily promoted in the boardroom. The truth is that companies are exposing themselves to critical threats if they cannot improve information security in tandem with their technology adoption. It becomes more complicated to handle the situation as emerging technologies such as mobile devices and cloud have become increasingly ubiquitous in our daily life, meaning that companies are having more touch points than ever with external audiences,” said Eva Kwok, Partner, Enterprise Risk Services, Deloitte China.

The report showed that no industry can get away from the potential threat of cyber attacks, with some companies having experienced as many as two or more cyber incidents per month on average. Interestingly, however, only 28 percent of respondents’ organisations had experienced an information security breach or incident in the past 12 months. In Hong Kong, computer crime has become more rampant, with the number of cases growing at a compound annual growth rate of 28.8 percent between 2009 and 2015. During the same period, financial losses due to technology crime have increased by 85.4 percent annually, reaching a historical height of HK$1.8 billion.

Survey respondents can name some of the cyber threats and information security challenges, such as information leakage, lack of documented guidelines, privacy complaint, hacktivism, and lack of compliance to privacy regulations. However, only 50 percent of the respondents’ organisations had executive responsibility for enterprise-wide information security, and 60 percent of the organisations do not provide training to employees to raise their information security awareness.

When it comes to efficiency in dealing with a security breach or incident, many respondents said it took less than a month to rectify the problem. However, there were plenty of examples of incidents going well beyond this and subsequently incurring more costs. “A lack of preparedness can often explain the slow response, which can exponentially increase financial loss and give rise to other negative impacts such as reputation damage and loss of sensitive data,” said Ms. Kwok, citing a separate Deloitte’s study as saying that the average amount of the time needed to resolve a cyber attack was 32 days with an average total costs of a little more than US$1 million.

The report also covered the legal aspect of cyber security risks, highlighting the increasing focus among regulators in Hong Kong around enhancing the legal structure to support information security. In the survey, 14 percent of respondents experienced complaints related to non-compliance of data security measures or privacy breaches. The tightening of regulations is expected to drive development of structure and processes around cyber security.

Eunice Chu, Head of Policy of ACCA Hong Kong, concluded, “Cyber security is a complex issue. It can only be handled properly when companies and individuals understand they play an important role and take ownership of their responsibility, because neither governments and law enforcement nor IT professionals can be solely relied upon to provide adequate protection. While everyone’s effort is counted towards consolidating the new frontier of cyber security, accounting professionals are well-positioned to contribute through identifying the critical assets for protection, defining levels of access rights and assessing the cost-effectiveness of security measures. ACCA is committed to equipping its members with the necessary training and knowledge to deal with all these new challenges.”