Jason Yau, Partner, IT Consulting & Audit and Assurance, RSM Hong Kong, maps out a series of concrete measures to help combat cyber risk, charting a course of action for company secretaries to confront cybersecurity exposure and comply with regulatory stipulations.

Cybersecurity has become a hot topic of conversation over the past few years across a wide range of industries in both the private and public sectors. The frequency, velocity and severity of data breaches, especially from external hackers, intensified in 2019 and there is no evidence of it slowing down.

Confronting the rise of data breaches

According to Verizon’s 2019 Data Breach Investigations Report, there is a significant uptick of data breaches initiated by external hackers, whereas past data indicates that the ratio between external hackers and internal intruders was about 50:50. What this latest observation by Verizon means can be interpreted as follows: (1) organisations are doing a much better job in implementing proper preventive controls against intruders from within, and (2) external hackers with malicious intent are getting more sophisticated with their technical hacking techniques and social engineering skills.

Because of the emergence of professional external hackers, regulators the world over are keen on enacting more rules and regulations to ensure organisations are doing enough to defend themselves against cyber risks, while organisations are scrambling to keep up with the ever-changing cyber landscape and to implement controls that meet the expectations of regulators, management, customers and other stakeholders. The pressure on the board of directors, corporate secretaries and senior management to properly address cybersecurity risk as part of an overall risk management strategy is accelerating.

We are living in a digital age where data is rapidly becoming the most valuable commodity in our world and whoever can capture, generate, process and analyse data in the most efficient and effective manner will enjoy a distinctive advantage over the competition. With data turning into gold, external hackers and internal intruders with malicious intent are being incentivised to penetrate organisations to steal valuable data such as personal information, board minutes, corporate strategy documents, and pricing and customer data, as well as other intellectual property. Standard hackers will sell the information on the dark web, where smart hackers can potentially use the insider information to reap lucrative profits in the financial markets.

Recent data breaches, including those of British Airways and Capital One, have caught the eye of management boards because of the potential impact on stock prices and corporate earnings. Other risk exposures relating to data breaches from a corporate governance perspective include reputational damage, intellectual property losses, lost productivity, damage to corporate culture and even potential litigation. As such, it is imperative that company secretaries – as well as the boards of directors – take relevant action to confront cybersecurity exposure as it relates to reputational, compliance and privacy risks.

Compliance with regulatory stipulations

As more and more jurisdictions come out with their own cybersecurity laws and data privacy regulations, it is vital that company secretaries guide their boards of directors to address all potential compliance risks to which the organisation is exposed, as well as help ensure they comply with all the relevant regulations. A number of significant regulations have been enacted and become effective in recent years, including the General Data Protection Regulation (2018) in the European Union, the Cybersecurity Law (2017) in the mainland of China, the Macau Cybersecurity Law (2019) in Macau and the Cybersecurity Act (2018) in Singapore. As for Hong Kong, there are industry-specific regulations and guidelines for banking, financial services and insurance from the respective regulators, including the Hong Kong Monetary Authority, Securities and Futures Commission and Insurance Authority.

The aforementioned laws, regulations and guidelines have extremely burdensome requirements, compliance with which demands that management works closely with the legal and IT departments to implement necessary changes within an organisation. Any violations can potentially lead to hefty fines and penalties and, more importantly, significant business disruptions, reputational damage and the necessity of dealing with regulatory investigations should there be a data breach due to non-compliance.

Preventive measures

Much recent empirical research and academic study compares the cost of implementing preventive measures against the cost of performing corrective action. Although there is no ‘one-size-fits-all’ type of research, with a derivative cost ratio between preventive and corrective controls, the analysis all points to the same conclusion, which is that preventive measures cost significantly less than corrective action.

Other than the financial costs, some of the unmeasurable costs relating to a data breach can involve employee turnover, time spent on regulatory or legal matters, loss of customer and stakeholder confidence and brand damage.

Understanding and refraining from bad practices

We can categorise our observations on ‘bad practices’ into those carried out by IT departments and those performed by employees.

Bad IT department practices:

• implementation of poor password requirements and authentication rules
• lack of awareness of the latest cybersecurity and data privacy regulations
• poor network structure design and default system configurations
• inadequate preventive and detective IT solutions
• no corrective controls or action planning (such as business continuity or disaster recovery planning), and
• lack of data log and periodic reviews.

Bad employee practices:

• ignoring batches or security update messages
• downloading applications from an unauthorised source (such as input methods)
• opening and replying to phishing emails without employing a sceptical mindset
• opening attachments from unconfirmed sources sent to personal email accounts on work machines
• using unencrypted USB and other portable storage devices for sensitive company information, and
• using instant messaging services or social media to share company information.

Implementing detective and preventive controls

An IT department alone will not be able to plug all the holes within an organisation from a cybersecurity risk perspective. Strong IT governance requires that the leadership team sets the right tone from the top and that everyone within the organisation enhances their security awareness, as well as actively addresses the risks through small steps.

Ongoing security awareness education and the sharing of observations from the IT department are also essential for keeping employees up to date about potential cyber risks. With a collective effort across the organisation as part of the detective and preventive controls, along with a strong IT security culture, it will be a lot harder for hackers to achieve their goals.

Practical tips for combating cyber risk

The process of identifying and combating potential hacking risks in our daily work is greatly facilitated by paying attention. The following is a list of practical tips of what to look out for:

• internet traffic is suddenly and suspiciously increased
• computer gets extremely hot without any usage
• alert about a security solution, such as an antivirus or firewall, being disabled
• appearance of unfamiliar desktop icons
• extremely slow machine boot-up process
• downgraded system performance
• unexpected pop-up windows from browsers or taskbar
• unexpected software installation
• unexpected sounds from the machine, and
• random connections to unknown websites.

If your computer encounters any of these situations, it is strongly recommended that you get your IT department involved to perform detective and corrective measures.

A number of other suggestions should be followed to help prevent a potential data breach.

Password and encryption:

• use multifactor authentication
• use advanced passwords
• check your social media security settings
• protect your phone and gadgets with strong passcodes
• use encryption on portable storage devices
• verify the encryption function on mobile device apps, and
• lock your machine (use both physical and logical locking).

Staying alert:

• be suspicious of emails
• check hyperlink locations
• never open attachments from an unconfirmed source
• put a sticker or sellotape over any unused webcams
• be vigilant about suspicious connectivity
• on public wi-fi, avoid accessing sensitive accounts or sharing personal data, and
• back up your data.

Conclusions

The following phrase is commonly used amongst IT security experts: ‘Data breaches are not a matter of if, but a matter of when.’ Cybersecurity is increasingly becoming a business risk and not just an isolated IT problem; a collaborative approach is now needed in order to tackle cybersecurity risks and data threats.

It is essential that the company secretary takes the initiative to emphasise the significance of putting cybersecurity firmly on the board agenda. In addition, the board should consider employing someone in a chief information security officer role to drive the IT risk culture. The leadership team must recognise that the ad hoc or reactive approach to dealing with cybersecurity risk no longer works in today’s cyber environment. An integrated action plan with a proactive attitude and a proven security framework is indispensable to get buy-ins from all business users. Along with a strong corporate culture and an internal-control mindset, IT risk management and digital transformation will set the foundations for the next-generation business model, which will in turn enhance the value of the brand and the company.

Jason Yau, Partner, IT Consulting & Audit and Assurance RSM Hong Kong Jason is a US CPA and Certified Information Technology Professional certified in the state of New York. He is Head of Technology and Management Consulting (TMC) at RSM Hong Kong, having established its TMC division to focus on providing high-quality IT solutions to corporate customers, including the implementation of enterprise resource planning and customer relationship management systems, cloud strategy, IT risk assurance, infrastructure, hardware implementation and computer forensics.