This article was first published in the November/December 2016 China edition of Accounting and Business magazine.

Over a four-week period in May 2016, securities transactions amounting to more than HK$46m occurred at four local Hong Kong banks, without the account holders’ knowledge. In the same month, SWIFT revealed a US$12m theft by unidentified hackers via a series of false transfer instructions back in January 2015. If criminals can penetrate even the most sophisticated cybersecurity systems at this high level, imagine how vulnerable the average business is.

The economic cost of computer crime globally has been estimated at US$400bn a year but, to put that in a local context, attacks in Hong Kong increased by 85.4% per annum between 2009 and 2015. The cost to business is now estimated at HK$1.8bn. The toll rises when you also consider the intangible loss of customer trust and loyalty following an attack.

This stark picture is outlined in a new ACCA/Deloitte China joint report, Understanding the new cyber reality: information security study 2015. This shows that there is indeed ‘no place to hide’ from exposure to cyberattack, and that the risks are increasing day by day. 

For example, 41.8% of respondents from the manufacturing sector reported having experienced one or more information security breaches or incidents in the past 12 months. ‘This is not an obvious target sector for cyberattacks, but could highlight a higher than average level of vulnerability,’ states the report.

Beijing-based Ricky Tung, industrial products and services leader at Deloitte China, explains that unlike the financial services industry, attacks on traditional industries such as manufacturing tend not to be overly sophisticated or serious – but they can halt production and ‘are clearly affecting businesses with alarming frequency’. 

The volume of attacks is also high in life sciences and healthcare, with 40% of respondents from this sector reporting one or more information security breaches or incidents in the past 12 months. Sophisticated internet criminals have a huge appetite for the intellectual property of pharmaceutical companies, with not only the big players at risk. A study by US-based technology company Symantec Corporation found that more than half of the malware targeting pharmaceutical and chemical companies affected firms that employ fewer than 2,500 people, and 18% with fewer than 250.

As the high-profile Hong Kong banks and SWIFT cases indicate, the financial services sector is an increasingly prime target: as companies embrace technology developments in their quest for growth, innovation and cost optimisation, they are in turn exposed to heightened levels of cyber risk. 

The downtime resulting from cybercrime disruption can be considerable: although many of those surveyed said it took less than a month to fix a security breach or incident, there were plenty of examples of cases going well beyond this and subsequently incurring more costs. A separate study by Deloitte found that the average amount of time needed to resolve a cyberattack was 32 days, with an average total cost of around US$1m.

Nearly a quarter (22%) of respondents conceded that damage to the company’s reputation was one of the major impacts of security breaches. Beyond this is the risk of regulatory punishment. In the survey, 14% of respondents had experienced complaints related to non-compliance of data security measures or privacy breaches.

Lukewarm commitment

Worryingly, though, the researchers found only a ‘lukewarm commitment’ to information security among the Hong Kong and mainland China executives polled for the report. A staggering 40% of respondents, mostly CFOs and CIOs, from a wide spectrum of industries, did not even know if their organisation had a budget for information security.

‘Some of the well-established corporations and listed companies in both Hong Kong and China do have very good measures in place to defend themselves from cyber threats. However, the majority of companies still do not invest enough,’ says Eunice Chu, head of policy at ACCA Hong Kong. ‘In our survey, we found that 71% of respondents said their companies did deploy emerging technologies, such as mobile devices, analytics and cloud, to drive business growth. Yet 23% had allocated no budget to information security. This “adopt first, manage later” phenomenon could create significant challenges for the already insufficient information security to protect the future organisation.’

Eva Kwok, enterprise risk services partner at Deloitte China, believes that while companies are willing to spend on acquiring new technologies, investing in risk protection is a harder sell in the boardroom. ‘The outcomes are not as visible as other IT investments, especially when hot topics such as mobilisation, digitalisation, big data and cloud services are all on managements’ minds,’ she says. ‘The truth is that companies are exposing themselves to critical threats if they cannot improve information security in tandem with their technology adoption.’

Kwok is also surprised at the widespread perception that cybersecurity breaches only impact large organisations. ‘Criminals only have to find the weakest link in order to perform an attack,’ she says. And the growing propensity to BYOD (bring your own devices) to the workplace means that companies have more touch points than ever with external audiences – giving cyber criminals more potential entry points. Tonny Xue, national leader of cyber risk services at Deloitte China, says there is no such thing as standing still in the cyber environment, which is moving in many directions simultaneously. 

To mount an adequate defence against cybercrime, prevention from within is ‘a necessary starting point’, according to the report. Firms should adopt data loss prevention technology and security incident event management technology to locate, monitor and protect their data and network – wherever it is within the organisation – so that they know who is doing what, with what data, in real time.

Yet no company should think that it can go it alone. To bolster the work of an internal cyber security team, the report says, a third-party security consultant and product vendor engaged to secure, update and remediate a company’s cyber resilience ‘will be an effective approach for managing threats in the new cyber reality’.

Collective responsibility

Just as cyber threats are becoming more sophisticated and penetrating every aspect of the business, the report also asserts that managing such risks is no longer the sole mandate of IT departments or CIOs. Rather, it calls for collective responsibility.

Equally, it cannot be left to governments alone to increase regulation and give more powers of enforcement. Although regulators in Hong Kong and China are sharpening their focus on the legal infrastructure to support information security, firms need to take ownership of their own cybersecurity measures to ensure that they remain adequately protected. 

Professional accountants are well-positioned to help in dealing with risk management issues as they possess industry knowledge, and understand the overarching strategy and end-to-end business operations. ‘Accountants can help in identifying the critical assets that are at risk and require » protection, as well as assessing the cost-effectiveness of different security measures,’ Chu says.  

Through specialised training offered by ACCA, members will also have the necessary skillsets to quantify the potential financial, operational and reputational damage and regulatory penalties surrounding cybercrime. 

‘ACCA understands the challenges that future accountants face and is determined to equip them with necessary training and knowledge to deal with the challenges,’ Chu says. ‘Cyber and information security training is incorporated into ACCA’s examination syllabus to equip accounting students with essential knowledge. Ongoing seminars and workshops on various topics, collaborated with multinational technology companies, are offered to its ACCA students and members. With all these measures, our well-trained accountants would prove to be valuable assets to the future business world.’ It’s an issue the C-suite must address with due diligence, ownership and effective management, but also one of which all staff members should be fully aware. As noted in the report, sound defence against cyberattacks requires a joined-up effort across the firm, from the leadership to employees of all levels, supported by a comprehensive build-out of hardware and software.

Peta Tomlinson, journalist