October 25, 2017 – HONG KONG – Internet Society Hong Kong and Cloud Security Alliance – Hong Kong and Macau Chapter jointly announced the third annual report on “Hong Kong Small and Medium-sized Enterprises (SMEs) Cloud Adoption, Security & Privacy Readiness Survey” today. This survey is sponsored by Microsoft Hong Kong.
In the survey, 95% of the SMEs have already established policies towards data security after the launch of Personal Data (Privacy) Ordinance (the “Ordinance”), which is a leap of 40% as compared to that of two years ago. More than 50% of the SMEs believed that cloud security services provided by the Cloud Service Providers (“CSPs”) are reliable; Meanwhile, 45% of the SMEs claimed their CSPs are lacking transparency while handling customers data and information. It is not clear if the data kept on cloud could be deleted or returned after terminating the service contract with the providers. In terms of data privacy standard, 70% of the SMEs are not familiar with cloud security standards, such as ISO/IEC 27017 and ISO/IEC 27018, which reflects SMEs are not able to distinguish which CSPs follow the Ordinance or similar international legislation to protect their personal data.
The survey aims to understand Hong Kong SME’s readiness and application of cloud technologies. With the previous survey revealing the SMEs have already adopted cloud services to varying degrees, which brings to the focus of this year on analyzing SMEs understanding towards CSP’s handling on data and personal information.
Recommendations were made for SMEs to choose their CSPs. The survey was conducted in March 2017 and commissioned the Hong Kong Productivity Council to carry out telephone interviews to SMEs in Hong Kong (corporate size < 100 employees) over the course of three weeks and to review data from the Census and Statistics Bureau. The Council successfully collected 103 survey responses. The research covered major industry sectors in Hong Kong. The survey questionnaire was developed based on the Cloud Security Alliance Cloud Control Matrix international standard with questions adapted to local conditions.
SMEs Has A Higher Level Security Readiness In Overall Data Management And Information Security Systems The survey shows an increase in SMEs overall acknowledgment on data management and information security systems, particularly in physical security management, data privacy management, and incident management. Nearly 70% of the SMEs manage their IT systems with proper access rights and password control, representing an 15% increase when compared to that of 2015.
In addition, over 70% of the SMEs have good understanding of or have implemented data encryption, and over 60% of the SMEs have established their data disposal policy, which is a big jump when compare to none in 2015. Moreover, over 70% of the SMEs have established an Incident Response Plan and Disaster Recovery Plan, with a distinctive growth of 39% and 25% respectively. On the contrary, there is little progress on SMEs system management, with only 30% SMEs implemented a security patch policy, a slightly increase at 7.5%; Meanwhile, it is recorded a 4% decrease in SMEs firewall devices installation to further improve the security.
Mr. Sang YOUNG, Convener, Internet Security and Privacy Working Group, Internet Society Hong Kong, commented, “Comparing the data against with that of the past 2 surveys, we are happy to witness more and more SMEs formulate their data privacy policy, hence demonstrate higher readiness to data security on cloud and are more prepared to handle incidents. However, we see an increasing dependence on third party service provider’s cloud security systems, while a vast amount of SMEs are poor in implementing their security patches policies. We believe the number of SMEs relying on third party service provider’s cloud security service will remain huge, therefore we suggest SMEs to choose cloud service providers based on their transparency, and companies should review their vendor’s security solutions to ensure they are updated from time to time.”
SMEs Could Not Determine Whether CSPs Are Up To International Standard Compared with last year, the survey revealed that SMEs are showing more concern on personal data protection, with most of the companies (95%) claimed they follow the Ordinance from PCPD. However, SMEs are still lacking awareness on how CSPs process with their data, nearly half of the companies (45%) uses CSPs which are not transparent to their users if and when their data would be deleted and returned, and one-fifth of them (20%) do not know if their CSPs will use their data for marketing purpose. In the meantime, 25% of the surveyed SMEs reflected that their CSPs do not follow the Ordinance which raises a significant concern as CSPs are also data processors of the companies.
“SMEs should be clear on the CSP’s policies for data retention and deletion, including when the SMEs unsubscribe from the Cloud services in question. The survey revealed that up to 70% of SMEs are unclear on the international standard of cloud security & privacy, It is recommended that SMEs should look for CSPs which comply with international standards like ISO/IEC 27017 and ISO/IEC 27018 that provide guidelines to CSPs for the protection of Personally Identifiable Information,” commented Mr. Claudius LAM, Chairman of Cloud Security Alliance Hong Kong and Macau Chapter.
“As SMEs may not have the manpower and professional technology knowledge to deal with information security & privacy. With the use of reliable enterprise level CSP which in line with international standard, not only can overcome the deficiency, SMEs can also enjoy an enterprise level data privacy protection which ensure compliance with all relevant regulations at an affordable price”, said Mr. Fred SHEU, National Technology Officer of Microsoft Hong Kong Limited. “Microsoft is dedicated to help SMEs to leverage IT and enhance their competitiveness. The survey showed that more than 40% of Hong Kong SMEs will give priority to Microsoft Azure as their CSP. We will continue to invest and provide a more flexible and comprehensive cloud services to help local enterprises protect their data and assets effectively.”
For the full report, click HERE
Photo shows: (From left) Claudius LAM, Chairman of Cloud Security Alliance Hong Kong & Macau Chapter, Sang YOUNG, Convener, Internet Security and Privacy Working Group, Internet Society Hong Kong, and Fred SHEU, National Technology Officer of Microsoft Hong Kong Limited, announces the results of the Hong Kong Small and Medium-sized Enterprises (SMEs) Cloud Adoption, Security & Privacy Readiness Survey.
CSA Hong Kong and Macau Chapter 