Quann survey: 44% of HK companies do not put IR plans into practice

Almost half or 44% of companies in Hong Kong are ill-prepared for cyberattack incidents as they do not have an incident response plan in place to protect their corporate network and critical data, according to a joint survey released this week by managed security services provider Quann, and research firm IDC. Furthermore, the survey showed only 20% of them practices their IR plan.

The inaugural Quann IT Security End User Study 2017, covering 150 senior IT professionals from medium-to-large companies based in Singapore, Hong Kong and Malaysia, aims to understand the cybersecurity strategies of these organizations as well as their preparedness and vulnerability to cyberattacks.  

“The findings are worrying but they don’t come as a surprise. Many companies are simply not investing enough in IT security, despite the obvious threats.  The lack of investment in security infrastructure, professional services and employee training makes them extremely vulnerable,” said Foo Siang-tse, managing director, Quann,  

He added the recent WannaCry and Petya ransomware incidents are just the tip of the iceberg.

“Companies need to recognize that having a comprehensive security plan, comprising detection systems, robust processes and equipped individuals are critical in enabling them to detect threats early and mitigate their impact,” Foo said.

The survey showed nearly all of corporate respondents (95%) are in the early stages of security preparedness.

Lack of adequate security features to monitor and detect cyber attacks

While basic IT security features such as firewall and antivirus are widely deployed by the Hong Kong companies surveyed, more than half (61%) of them do not have Security Intelligence and Event Management Systems to correlate and raise alerts for any anomalies. 

Also, 66% of the Hong Kong respondents do not have a Security Operations Center (SOC) or a dedicated team to proactively monitor, analyse and respond to cyber security incidents that are flagged by the systems. 
The lack of proper monitoring systems and processes means that anomalies picked up by security devices will go unattended and malware may reside and cause damage within corporate networks for long periods.

“Companies may consider working with an experienced cyber security partner to design, build and manage a 24/7 on premise Security Operations Center that can quickly detect threats. Another option is to engage a Managed Security Services Provider (MSSP) that can provide a comprehensive suite of services, including 24/7 monitoring, regular vulnerability assessment and penetration testing and incident response and forensics,” Foo added. 

Cyber security not on the board’s agenda

The survey also revealed a low level of engagement from senior leadership in formulating IT security strategies.  Over 80% of Hong Kong respondents consult security executives, but only 12% of them will invite the executives to board meetings and involve them in risk assessment. 

Simon Piff, vice president of IDC Asia/Pacific’s IT Security Practice, said: “Not all C-Suites in Asia are fully conversant with the fundamentals of a robust cyber security strategy and the appropriate investments. Cybersecurity investments are akin to military spending – we do it in the hope that we would never have to use the tools.

“They need to understand that this is not a business ROI with immediate, visible returns. However, the consequences of not taking a proactive approach now could lead to legal disputes, customer dissatisfaction, and even loss of jobs and careers at all levels in the organization.”


Image from