The past few weeks have been digitally challenging for Hong Kong and the rest of the world. Two public organizations have fallen victim to ransomware attacks within a remarkably short period of time. 

On an international scale, a prominent hotel and casino chain suffered a disruptive hacking attack in which a staggering 6 terabytes of data were reportedly stolen from its computer systems. Indeed, Check Point Software’s 2023 Mid-Year Cyber Security Report, published this August, revealed that the second quarter of 2023 saw an 8 percent surge in global weekly cyberattacks, the most significant increase in the past two years. 

The repercussions of these cyberattacks, including both the data leakage and the potential harm that may be inflicted on the data subjects, have undoubtedly raised significant concerns over online security and cybersecurity loopholes worldwide. As these incidents unfold, it has become vital to increase vigilance and to take proactive steps to address the looming threat before another cyberattack hits.

Fallout from cyberattacks 

Ransomware attacks, which involve hackers encrypting a victim’s data and then demanding a ransom payment in exchange for the decryption key, are one of the most common forms of cyberattacks. We cannot overemphasize the impacts of a ransomware attack, which can be devastating for the organization and individuals affected. 

For organizations, the potential disruption to their information systems and even business services may entail significant financial losses as well as damage to their goodwill and reputation. Fundamentally, the payment of a ransom does not guarantee that the encrypted files will be released by the malicious actor. In some cases, the decryption of files does not mean the malware infection itself has been removed, meaning that organizations may incur additional costs to restore their information systems and files. The consequential loss of business data, which may include trade secrets or other intellectual property information, can be far-reaching. 

The personal data leakage that may follow from a cyberattack affects data subjects to various degrees. In addition to the loss of sensitive personal data such as health records and credit card information, the exploitation of such information for illicit purposes, such as its sale on the dark web or its use in identity fraud, may cast a long shadow of potential harm and lingering concerns over the affected individuals. 

Take action now 

Hackers nowadays no longer only target behemoths. Small and medium-sized enterprises, which account for over 98.5 percent of the total number of enterprises in Hong Kong, have increasingly fallen prey to hackers, who exploit their relatively weak defenses, compared with those of larger corporations. It is incumbent upon all organizations, irrespective of whether they are public or private or of the scale of their operations, to take precautionary measures to strengthen the data security of their information systems to fend off malicious attacks. 

Data Protection Principle 4 of the Personal Data (Privacy) Ordinance requires data users to take all practicable steps to ensure that any personal data held by them are protected against unauthorized or accidental access, processing, erasure, loss or use. 

Organizations are recommended, for example, to regularly conduct data security risk assessments and to implement effective security measures to safeguard not only their information and communications systems but also the personal data in their control or possession to thwart potential attacks. They should consider securing their computer networks by using security devices or software such as firewalls and/or anti-malware applications. 

Organizations are also recommended to regularly conduct vulnerability assessments and penetration tests to detect existing or emerging threats, to implement patch management to fix security vulnerabilities in a timely manner, to encrypt data both in transit and at rest, and to separate database servers from web servers to protect internal servers in case the web servers are compromised. 

In this regard, my office issued the Guidance Note on Data Security Measures for Information and Communications Technology in 2022 to provide data users with recommended measures to enhance data security and mitigate emerging threats. I believe that these practical measures can help organizations stay one step ahead of evolving cyber threats.

In addition to strengthening information security measures, heightened awareness and proper training and communication with staff are of equal importance, as a staffer’s simple click on a phishing link may lead to malicious attacks on the organization’s information systems. As an organizational measure to enhance data governance, organizations should establish a personal data privacy management program to ensure their responsible collection, holding, processing, and use of personal data. They should also appoint a data protection officer to ensure compliance with all legal and internal risk control requirements. Otherwise, as Benjamin Franklin said, “By failing to prepare, you are preparing to fail.”

Uniting for cyber defense

The escalating number of cybersecurity incidents is a wake-up call to everyone. In the age of global digitization, businesses and organizations, regardless of their scale, face similar risks of cyberattacks. It is imperative for all parties involved, including the management and employees of organizations, to unite and work hand in hand to proactively defend against the upcoming waves of cyber threats. 

There is no better time to start than now.

The author is Hong Kong’s privacy commissioner for personal data.

The views do not necessarily reflect those of China Daily.