SearchLanguageMobile menu
OGCIO
28-08-2020

Welcome Remarks by Mr. Jason Pun, Assistant Government Chief Information Officer (Cyber Security & Digital Identity), at the “12th InfoSecurity Virtual Summit 2020 Hong Kong”

Distinguished guests, ladies and gentlemen,

Good morning! I am delighted to join you all today at the 12th Annual InfoSecurity Summit 2020. The promise of technology has, in many ways, drawn us closer together. This year, the summit is held as a virtual event. This enables information security professionals across industries and geographical locations to assemble in the cyber space and share the latest security trends and insight into emerging technologies. I would like to extend my warmest welcome to all participants of this event.

The recent outbreak of the COVID-19 epidemic has brought serious disruptions to a wide range of economic activities. It is crucial for businesses to realise the potential of digital transformation and adopt technology in their operations to cope with the challenges. To support companies to continue with their business, the Government launched the Distance Business Programme (or D-Biz in short) under the Anti-Epidemic Fund for local companies to adopt IT solutions to support remote working and services. Companies can also apply for the funding to adopt cyber security solutions to step up the protection of their IT systems.

While digital transformation helps organisations become more agile to the changing lifestyle of their clients, they should also beware of the challenges of cyber threats that would inevitably come along. According to the Hong Kong Computer Emergency Response Team, which is financially supported by the Government and is responsible for handling local computer security incidents, there were over 4 300 incidents reported in the first half of 2020. Although this is lower than the figure of about 5 000 for the same period in 2019, we all have no room for complacency.

Looking at the breakdown figures, phishing is the most imminent cyber security risk, causing more than one-third of all security incidents of the first half of 2020. In order to tackle phishing attacks, every one of us should always exercise vigilance in handling information we receive. Once deceived by phishing attacks, we could possibly become the next victim with outcomes like losing personal or valuable business information, suffering monetary loss or even disruption to business. Taking this opportunity, I would like to share with you some initiatives taken by the Government in guarding against cyber attacks. I put them as EPP, i.e. education, partnership and prevention.

First, education. The most effective way to protect your organisation from cyber threats including phishing attacks is user education. It is becoming an industry practice to conduct phishing simulation to raise awareness of staff. We also launched the “Government-wide Phishing Drill Campaign” last year to promote the awareness of phishing emails among government personnel. In this campaign, we sent out over 1.7 million simulated phishing emails to over 100 000 government staff members. If the hyperlinks in these emails were clicked on, an immediate feedback explaining the proper way to handle emails would pop up. After several rounds of simulation, we saw a significant reduction in the number of staff members deceived by such simulated emails. The campaign also featured seminars, thematic website, training videos and quizzes to help with the education. Here, I would like to encourage your organisations to conduct similar simulation exercise to increase staff awareness of phishing attacks.

There is also a growing trend of smishing attacks that use text message for scamming – S M I S H I N G is a word blending “SMS” and “phishing”. During the epidemic, there were criminals pretending to be official institutions or medical service providers to spread vast numbers of smishing messages over social media platform in order to carry out money fraud, steal personal data and spread malware. We should always be aware of the various forms of attacks, especially on social media platforms nowadays, in order to take preventive measures.

Second, partnership. In the age of cyber “insecurity”, it is imperative for stakeholders to collaborate in their defence against cyber threats. The Government has been playing an active role in synergising the local efforts. OGCIO launched a two-year Pilot Partnership Programme for Cyber Security Information Sharing two years ago, with Hong Kong Productivity Council serving as the Programme Manager. This partnership programme, with the code name “Cybersec Infohub”, enables the more efficient and effective sharing of security information across different sectors in Hong Kong, with an ultimate aim to enhance the overall capability of the society to combat cyber threats. At present, the Programme has about 260 member-organisations with over 800 representatives, from a wide range of sectors such as finance and insurance, public utilities, transport, healthcare, telecommunications, innovation and technology, information security and tertiary education institutions. The newly joint members include those 90 some banks with the coordination of the Hong Kong Association of Banks.

In view of the positive feedback from the community, we will formalise the partnership programme starting from the first of September. We will collaborate with the Hong Kong Internet Registration Corporation Limited (or HKIRC in short) to steer and run the partnership programme on an on-going basis. With the vast membership base of HKIRC and its more and more prominent role in cyber security in Hong Kong, such collaboration will create synergy, and more organisations will join the partnership programme and benefit from it. You are cordially invited to participate in this programme to exchange with other professional security experts, or even just to learn the best practice and practical tips from them.

Third, prevention. To cope with the epidemic, many organisations have arranged for their employees to work from home in order to reduce the risks of infection. Different technologies such as virtual private network and video conferencing are more commonly adopted than ever before to enable users to continue their office work from different locations. Nevertheless, organisations and their employees should be vigilant against potential threats, and put in place proper preventive measures, for example keeping computer secure with the latest security patches, using secure connection channel, protecting remote access accounts using strong passwords or better still two-factor authentication, encrypting sensitive data, and watching out for suspicious participants in virtual meetings.

In the face of rapid technological advancement, we should always stay vigilant against cyber security threats. While the Government will continue to promote awareness and help strengthen the cyber security of the community as a whole, the contributions you make towards protecting your organisations in your capacity as security experts will remain indispensable. I wish you all an inspirational and fruitful summit today. Stay Safe! Stay Healthy! And Stay Connected! Thank you.

- ENDS -