Archive - Year 2003

Office of the Government Chief Information Officer, The Government of the Hong Kong Special Administrative Region

	Archive > Year 2003 > CTB > Press Releases in Year 2003

LCQ11: Information security level in Hong Kong

Following is a question by the Hon Sin Chung-kai and a written reply by the Secretary for Commerce, Industry and Technology, Mr Henry Tang, in the Legislative Council today (March 19):

Question:

In December 2002, Information Technology Services Department, Hong Kong Computer Emergency Response Team Coordination Centre ("HKCERT") and Technology Crime Division of Commercial Crime Bureau of Hong Kong Police Force jointly presented the Information Security Survey 2002 in which local small and medium enterprises ("SMEs") were the target respondents. According to the survey findings, financial losses amounting to HK$1.84 million were incurred by the interviewed companies due to computer attacks in 2002, an increase of 20.5% compared to that in 2001. Only 3.1% and 0.3% of the victim companies had reported the computer attacks to HKCERT and the Police respectively. The key reason for not reporting to HKCERT was "unaware of HKCERT" (71.5%) whilst the main reasons for not reporting to the Police included "trivial, no need to report" (55.7%); "unaware that it could be reported" (19.4%) and "don't think police can help" (14.5%). In this connection, will the Government inform this Council whether:

(a) it has assessed the impact of computer attacks on the economy of Hong Kong (such as financial losses and reduction in competitiveness); if so, of the assessment results;

(b) it has conducted regular assessments on the level of information security in Hong Kong; if so, of the assessment results ; if not, the reasons for that;

(c) it has reviewed the work of HKCERT and the Police in combating computer crimes and preventing computer attacks in the light of the survey findings; if so, of the outcome of the review; if not, the reasons for that; and

(d) it has formulated policies to assist SMEs in enhancing their capability in information security; if so, of the details of such policies; if not, the reasons for that?

Reply:

Madam President,

(a) The Hong Kong Productivity Council, which operates the Hong Kong Computer Emergency Response Team Coordination Centre ("HKCERT"), has conducted annual survey since 2000 (the survey last year was conducted by HKCERT in collaboration with the Information Technology Services Department (ITSD) and the Hong Kong Police Force (HKPF)) to gather information on information security technologies adopted by local companies and the extent and impact of computer attack experienced by them, so as to assess the latest situation about information security in Hong Kong.

As regards the impact of computer incidents on the economy of Hong Kong, the survey conducted by HKCERT last year showed that among the interviewed companies which had set up servers or websites, 326 had encountered computer incidents within the 12 months before the survey. The total financial loss amounted to $1.84 million, i.e. about $5,600 per victimized company (73.7% of the financial loss was due to virus attack). The impact on the economy of Hong Kong was not considered serious.

(b) Results of the above-mentioned survey conducted in the past three years revealed that the overall information security level in Hong Kong has improved. In 2002, 90% of the interviewed companies had adopted information security technologies to protect their computer systems and information, representing a slight increase over the 88% in 2001. According to the 2002 survey, the most popular security technologies adopted were anti-virus software (80.9%), password (57.7%), physical security (49.9%), firewall (25.7%), etc. There is also a decreasing trend in the number of information security incidents. The number of computer incidents experienced by the interviewed companies (about 3 000 companies were interviewed in each of the surveys conducted in the past three years) within the 12 months before the survey decreased from 1 510 in 2000 to 1 387 in 2001, and further to 1 095 in 2002.

The survey conducted by the Census and Statistics Department last year on the penetration and usage of information technology in the business sector also covered information security. The findings are similar to those of the HKCERT survey.

Besides, ITSD and HKPF maintain close contact with information security experts around the world to collect latest information on information security. They also hold regular meetings with these experts to discuss the development and other issues relating to information security and computer-related crimes both locally and globally, so as to help assess the information security level in Hong Kong.

(c) As revealed by the HKCERT survey, while the overall information security level in Hong Kong has improved, most of the small companies have only adopted basic information security technologies. The impact of computer incidents (in terms of the proportion of computers in a company affected) on small companies is also greater than that on large- and medium-sized companies. Also, as can be seen from the actions taken by the interviewed companies after occurrence of computer incidents, there is a need to enhance local companies' awareness of information security and computer incidents.

In view of this, ITSD, HKPF and HKCERT have stepped up public education and related support services to help various sectors, especially small and medium enterprises (SMEs), enhance their knowledge about information security and measures to prevent computer incidents, as well as their capability to deal with such incidents.

On combating computer crimes, the Police has upgraded its facilities required for investigation into such offences. For example, the Computer Forensics Laboratory, set up at a cost of $4 million with world-class facilities to handle evidence in IT-related offences, has come into operation since September 2002. In addition, the Police will continue to conduct exchanges with the industry on computer forensics, arrange training for its investigation officers to enhance their capability, and maintain close contacts with local and overseas enforcement agencies to facilitate exchange of intelligence and expertise.

The Police will also continue to enhance the knowledge of the public about computer crime prevention through various channels, such as organising activities with business associations to educate the youth on prevention of computer crimes, setting up web sites to disseminate information on prevention of computer crimes, and organising various types of seminars in collaboration with the industry to enhance the industry's awareness of, and strengthen its efforts to prevent, computer crimes.

(d) We will work with industry organisations to enhance SMEs' information security capability. Major initiatives include:

* ITSD has produced publicity materials on information security and distributed them to various sectors, including SMEs, for reference. In collaboration with industry support organisations, ITSD has organised exhibitions and seminars to enhance public awareness of information security.

* In September 2002, ITSD launched an INFOSEC website (www.infosec.gov.hk), a one-stop portal which provides resources and latest news on information security, introduces the services of HKCERT and related organisations, and encourages enterprises and the public to report computer-related crimes. The SME Corner in the website is tailor-designed for SME computer users, providing them with easy access to information related to their business.

* HKCERT issues alerts on security risks and computer virus through its website (www.hkcert.org). It has also set up a support hotline for different sectors of the community, including SMEs, to report and make enquiries on information security and computer incidents.

* HKCERT introduced in January this year a new free-of-charge short message alert service. With this service, enterprises and the public can receive alerts on security risks and computer virus through mobile phones.

* HKCERT, ITSD and HKPF are compiling jointly a Handbook on Information Security specifically to enhance SMEs' awareness of information security. The Handbook will be distributed in mid-2003.

* HKCERT is working with local trade organisations in different sectors to co-organise briefing sessions for their members on information security and computer incidents, so as to enhance the knowledge of SMEs in this regard.

* ITSD is producing two series of short public education programmes on information security, for broadcast on television and radio respectively later this year, to strengthen public awareness of information security.

Wednesday, March 19, 2003

- END -

Top

2003

| Important notices | Privacy Policy

Last review date : 31 August 2008