The Growing Cyber Threat to SMEs
SMEs are increasingly targeted by cybercriminals precisely because they often lack the security infrastructure of larger organisations. Business email compromise (BEC) scams, ransomware attacks, and phishing remain the most prevalent and financially damaging cyber threats facing Hong Kong businesses.
Common Cyber Threats
Business Email Compromise (BEC)
BEC scams involve attackers impersonating a senior executive, supplier, or business partner via email to trick employees into making fraudulent fund transfers. Losses from BEC in Hong Kong have reached hundreds of millions of HK dollars annually. Key warning signs: payment instructions arriving by email, requests to change supplier bank account details, and requests for urgency or secrecy.
Ransomware
Ransomware encrypts an organisation’s files and demands payment for the decryption key. SMEs are particularly vulnerable because they often lack regular offline backups and incident response capabilities. Paying the ransom is not recommended.
Phishing and Social Engineering
Accounting and finance staff are particularly targeted due to their access to financial systems and bank accounts.
Practical Controls for SMEs
- Multi-factor authentication (MFA): Enable MFA on all email, banking, and cloud service accounts
- Regular backups: Follow the 3-2-1 rule — three copies, two different media, one offsite
- Patch management: Keep operating systems and software updated
- Staff training: Regular phishing simulations and security awareness training
- Supplier verification: Call-back verification protocol for any changes to supplier bank account details
Case Study: BEC Attack Prevention
A Hong Kong import/export company received an email purportedly from its Taiwanese supplier requesting HK$1.2 million be paid to a new bank account. The finance controller, trained to verify payment changes by telephone, called the supplier directly and confirmed no such request had been made — averting the fraudulent transfer. The company subsequently implemented formal written procedures for payment instruction changes, requiring dual authorisation and independent telephone verification.